Top 10 Identity and Access Management Best Practices

The identity and access management process governs user identities and user access to resources within an organization. A Help Desk plays a big role in the identity and access management process. Help Desk agent’s job duties include managing user identities, resetting passwords, and provisioning access to resources.

Identity and Access Management process

Question 1 – Do you have a formally approved identity and access management process?

A mature Help Desk will have a formal identity and access management process. There will be procedures based on security controls to ensure the process is secure. The identity and access management process and procedures followed by the Help Desk must also be auditable. Reviews and audits of identity and access management are prevalent for a mature Help Desk.

Identity and access management process training

Question 2 – Is it mandatory that your company’s employees receive training on the identity and access management process?

Wayne Schlicht author of the Help Desk Management book states, “Security training for all employees is an important factor in a successful identity and access management process.” A knowledgeable employee about security requirements and best practices will be able to report issues to the Help Desk as they encounter them. The Help Desk agent should have training on how to recognize, document, and escalate security-related incidents.

User Identification Validation

Question 3 – Does the Help Desk have a process to validate the caller’s identity before resetting a password?

It is important to ensure the caller’s identity before resetting a password or perform any account maintenance. In the past, establishing user identity was performed by asking the user something they know, such as prearranged challenge questions. Establishing a user’s identity using challenge questions is no longer recommended as the primary method. Attackers have become very skilled at collecting user data, answering challenge questions, and compromising user accounts. Compromised user accounts are one of the primary culprits in some major data breaches.

Today and beyond, user identity should be established using multi-factors. These should be based on something they have (token, phone code, or security app) or something they are, such as a fingerprint or face scan. The most critical part is to ensure a process to validate the caller’s identity is in place, approved, and used.

Self-Service Password Management

Question 4 – Do your customers have the ability to reset their password using a self-service tool?

One of the highest call volume and cost drivers is password-related calls. Users forget their passwords over weekends, especially holiday weeks. To compound the problem, Information Security is enforcing complex password requirements. Many companies do not allow repeat passwords and require special characters. Customers manage their passwords with self-service password reset tools. Self-service password reset tools will give customers the ability to unlock, reset, and change passwords without calling the Help Desk.

Onboarding Process

Question 5 – Do you have an automated onboarding process to set up permissions for new employees?

Onboarding new users is a process that occurs repeatedly. Many Help Desks expend a lot of energy trying to set up accounts ad hoc. Having an automated onboarding process can make the process smooth and manageable. An automated onboarding process is usually driven by a workflow engine in the ticketing application or part of a security account management application. The hiring manager normally kicks off the process by completing a request form for their new hire. Selections are made in the form of the access the new user will need. Once submitted, the workflow engine will create tasks in the ticketing application for work teams.

Separate administrative account

Question 6 – Do your Help Desk agents have a separate administrative account to use when elevated permissions are required?

Help Desk personnel usually have elevated permission to reset passwords, install software, and navigate data repositories. Administrative accounts with elevated permissions need to be secure and controlled. A security best practice is to ensure the Help Desk personnel only have the appropriate amount of elevated permissions necessary to do their job and only use them when necessary. To enforce security controls, many companies give Help Desk agents two accounts. The first account is their day-to-day account, where they can do most of their activities that do not require an elevated level of permissions. When they do need elevated permissions, they use a secondary account that has administrator rights. Typical uses of these elevated permission accounts are used when they need to work with passwords, installs, etc. Another option many companies are now using in security applications is an enterprise password management system. These systems allow the changing of passwords enterprise-wide when people change roles or leave the company. It manages temporary passwords for vendors and contractors to allow their passwords to change when needed automatically. Auditing account use is a beneficial option to know who used an account and when.

Role-based access control

Question 7 – Does your company has defined role-based access control permitting users to access only what they absolutely need to perform their job functions?

Employees must only be allowed access to resources necessary to perform their job duties. Role-based access control is set up to define specific roles in a company, such as financial analyst or human resources generalist. Once the role is defined, permissions and security groups are assigned based on the minimum access needed for someone in that role.

Access Approval Process

Question 8 – Does your company have a process to obtain approval from service owners and employee managers for access requests?

The Help Desk can receive many access requests to resources. One identity and access management best practice are to have the resource owner approve the access request. In addition, the manager of the requestor should approve the request.

Identity and Access Management Process Auditing

Question 9 – Do you have a way of auditing password resets and account provisioning?

Creating user accounts, resetting passwords, and delegating access to users is too easy. The administrative ability to perform these actions needs to be restricted, controlled, and monitored. Once you have your process and controls in place, these actions need to be audited. Active Directory has specific group policy settings to log password resets and account provisioning changes. The problem is the logging data is complex and difficult to be efficient in auditing. Mature Help Desks will have an internal or 3^rd party application to gather, sort, and present security log data in a useful and efficient interface.

Multifactor Authentication

Question 10 – Does your company use multifactor authentication?

User authentication to a resource by two or more pieces of evidence is known as multi-factor authentication. The evidence or factors are grouped into knowledge, possession, and inherence factor categories.

Knowledge – Something you know, such as a password.
Possession – Something only the user, has such as a token.
Inherence – Something, the user, is such as a fingerprint.

Multifactor authentication is used to make access to resources more secure. If one factor is compromised, such as a password, then access is still secure with the other factor, such as a token or fingerprint needed to access the resource.