The management of identity is one of the most common and complex security challenges that is faced by organizations today. Many businesses operate globally with thousands of users constantly accessing hundreds of unique systems and applications. Establishing a role-based model and enforcing accountability is critical to securing access to company resources, but can be very difficult to implement, especially in mature and large organizations.
At Adobe, our Identity and Access Management (IAM) strategy is comprised of the following 6 pillars:
- Compliance with key Adobe Common Control Framework (CCF) objectives, especially those related to authentication and authorization.
- Authentication to Adobe systems is governed via a centralized identity source, which maintains compliance with scalable CCF requirements.
- Workflows have been implemented which automate provisioning, deprovisioning, and periodic access review processes.
- Access requests require a user and role to be selected from a pre-defined list, and a business justification must be provided.
- Once a user is granted access to a role, strong authentication is required to access company and customer resources.
- Critical system activity is logged to a centralized repository to maintain user accountability.
Our security administrators work diligently to discourage abuse and try to avoid human error. They recognize the importance of a centrally managed identity source built with strong role-based and accountability principles. When a single source of record exists, whose updates are automatically synced to all integrated systems, the need to manage access to each system independently is eliminated.
Workflows have been implemented to automatically route access requests to approvers, provision approved requests within the system, disable terminated users, and perform access updates based on periodic access review submissions. This automation helps reduce the risk associated with manual processes and creates efficiency in Adobe’s IAM implementation.
One of the most important pillars is defining a role-based access model. System owners predefine roles within Adobe’s automated provisioning workflow. This allows users to self-service the access request process while maintaining least privilege. Users requesting access to a role which would grant excessive privilege will be denied by the role owner and the user must resubmit their request for a more restrictive role.
Role-based models for managing access help reduce provisioning errors and overhead, improve logical access review accuracy, and enforce least privilege. When logical access roles are not defined, excessive or unauthorized access across systems is likely to result from manual and ad-hoc provisioning processes.
For example, without a defined role-based access model, new hires might require 25 separate permissions to be configured for them to perform their job responsibilities. Performing these tasks for numerous new hires, position transfers, and exiting personnel on a daily basis is cumbersome and prone to error.
Additionally, during periodic logical access reviews, the system owner must review each of the 25 separate permissions for every user with access to the system. The ability to review all users assigned to a defined role in one step will save the organization time and money while improving security.
On the other hand, defining a set of roles with explicit system privileges requires a one-time setup with minimal ongoing maintenance. Changes to existing roles should be controlled via change management processes. Once established, system owners can perform a single action to assign users to a role, or multiple roles, based on their job responsibilities.
Finally, least privilege requires that each defined and approved role has the minimum necessary system privileges which allow the role to fulfill its job requirements. When role creation is not guided by least privilege, it often results in excessive access for many of its members and appropriate access for very few of its members. New roles should always be created for system users that require more or less access than what is provided by an existing role.
Mismanaged systems may introduce security and process breakdowns, which may facilitate unauthorized or excessive access to systems or data. Access to critical Adobe resources requires a valid whitelisted IP, username, password, and a logical access token or key. The combination of these elements comply with Adobe’s Authentication Standard requirements. If suspicious or malicious activity is identified within a system, security administrators are able identify the user and hold them accountable for their associated system activity.
Accountability ties the authenticated user to the actions they performed while interacting with the system. In most cases, a single user is assigned a unique account. When shared accounts are necessary, they must be individually authenticated to before being used by an individual user. This provides security administrators the ability to track a specific user’s actions within a system, which can be used to investigate incidents and deny repudiation.
Maintaining an efficient and more secure IAM model in a large organization can be challenging and requires diligent forethought. When implemented correctly, an organization can help reduce the risk and likelihood of unauthorized access, both internally and externally. Adobe is committed to excellence with the delivery of its services and the protection of both Adobe and customer resources. Our IAM implementation is just one of many examples of Adobe’s defense-in-depth security strategy.
Sr. Analyst, Adobe Risk Assurance and Analysis Services (RAAS)