14. Identity and access management.
Absolute Information Security would be obtained by isolating them from any access: in this way, however, they would not be useful to anyone.

The information, in fact, must be AVAILABLE for the subjects (people and applications) who have the authorization to access it.

This implies know and manage their identities And what they are allowed to access.

Identity and access management or IDENTITY ACCESS MANAGEMENT IAM it is the ensemble of policies, processes and technologies that ensures that this happens.


There are 4 phases dell? IAM

 - IDENTIFICATION: it is a declaration of the identity of the subject (e.g. username)
  - AUTHENTICATION: it is the confirmation that the identity is recognized and valid (eg password)
  - AUTHORIZATION: is the assignment of access permissions to information and applications associated with the authenticated identity
  - ACCOUNTABILITY: is the recording of the activities carried out by the subject with that identity

L'Identity Access Management it must be:

 - automated to avoid the inevitable errors and omissions of manual procedures;

 - integrated with the processes of HUMAN RESOURCES (hiring, resignation, change of duties, etc.);

 - use ROLES predefined for the assignment of authorizations;

 - include the activity tracking of subjects in order to be able to attribute with certainty (accountability) the actions carried out on the information and systems.


L? IAM includes:

 - L?multi-factor authentication o Multi Factor Authentication MFA which greatly increases the reliability of AUTHENTICATION;

 - the password management (complexity, validity, expiration) and procedures for resetting (possibly self-service);

 - the management of privileged users o PRIVILEGED ACCESS MANAGEMENT PAM, which are essential for the management of the systems, but are also the most critical for safety as a favorite target of SPEAR PHISHING and SOCIAL ENGINEERING;

 - the management of ROLES and of the control model which must be the one suitable for the organization of the company.

 - the verification of the activities of the subjects and the highlighting of anomalous situations User Entity Behavior Analysis UEBA.

L? IAM it is a basic element of the Information Security Program
(you see 9. The Information Security Program) that the Fractional CISO tax in the company