Maybe it was an icebreaker at an orientation session or a way that your parents tried to manage restless children during a long family car trip. Wherever you may have been introduced to it, the word association game is pretty common. One person shares a word and others have to say the first word that comes to mind. Let’s try it! Cupboard: dishes. Snow: skiing. Wimbledon: tennis.
You get the idea. I think if we played the word association game with identity and access management (IAM), the first thought of many auditors would be: human users. That is not unreasonable. After all, when we audit IAM, we routinely consider whether the processes and tools used in the IAM program ensure that users initially have (and maintain) only the access needed to perform their responsibilities. We may also consider the hurdles of temporary elevated access that is anything but temporary; position responsibilities that change, but access that doesn’t; and our favorite—privileged access. So, human users have been and continue to be a very important part of IAM.
As digital transformation sweeps across organizations, however, the technologies that are the foundation of that transformation need access. From our experiences at work as well as in our personal lives, consider the expanded use of customer-facing digital assistants. This technology and other intelligent automations offer convenience but also introduce risk. These technologies, for example, may store credentials which—if accessed by malicious actors—can lead to data and privacy breaches.
With these risks in mind, identification of similarities and differences between human IAM and nonhuman IAM (e.g., servers, service accounts, mobile devices) may be a starting point for audit consideration. For example, IAM for both humans and nonhumans should look at access rights and security around credentials. While that similarity exists, different behaviors between human IAM and nonhuman IAM may require a different approach. When looking at human behavior, there may be additional investigation when a human user who routinely works during the day Monday through Friday accesses systems at a time outside those working hours. The behaviors associated with a nonhuman user may not be as clear-cut. Using the same example, perhaps the nonhuman user is engaged at all times, not just during a 40-hour week. In addition to behaviors, there are inherent differences with nonhuman users. An example is collaborative computing devices associated with IoT. Whether or not remote activation of collaborative computing devices is prohibited would be a consideration in auditing IAM. So, there are differences that may not allow for IAM to be viewed the same way for human and nonhuman users.
As we acknowledge the nonhuman element, which is estimated at 14 billion IoT connections in 2022 and predicted to reach 27 billion IoT connections by 2027, part of that acknowledgement requires strategy on how to work with it. We cannot discount human users. They will, of course, remain an essential part of IAM. At the same time, though, I challenge us to look at the nonhuman element and ‘word associate’ nonhuman connections to IAM as much as we do human user connections.
Editor’s note: To learn more about identity and access management, see ISACA’s new audit program!