The Difference Between IAM’s User Provisioning and Data Access Management

The Difference Between IAM’s User Provisioning and Data Access Management

Identity and access management (IAM)’s user provisioning and data security’s data access management both manage access. But provisioning is not a substitute, nor is it a replacement for data access management. The nuances between the two are enough to put the two in distinct categories. Both are important and knowing the difference between the two will help you figure out the right tool for the job.

What is User Provisioning?

User provisioning is the creation and management of access to the organization’s resources. Access can range from IT accounts (CRM, Salesforce, email etc) to non-IT equipment and resources such as an access badge, phone, car, etc.

IT administrators who are responsible for provisioning access know that when manually provisioning access, it can be tedious, complicated and even if you have a checklist, the risk for making mistakes are quite high.

Of course there’s always an option to leverage directory services to automate the provisioning workflow. And the process of maintaining those access rights continue as people’s responsibilities continue to evolve and when they leave the organization.

IAM systems further automate this process.  To streamline provisioning, organizations create templates – called “roles” – that package together and assign specific values to accounts.  For example, any full-time employee on the Finance team will receive the same types of access – an email account, authorization to the parking area, and access to the billing and payment systems.  Later in her career, the Finance user might change jobs, and join the legal team.  IAM will facilitate that role change – Since the user is still an employee, she will retain her email and parking access, but the system will revoked rights to the billing and payment systems, and then grant access to the eDiscovery and records management tool.

So far, there’s no reason to believe that you can’t provision access to data in the same way: make access available to users who need it and manage as needed.

So What’s the Problem?

Organizations with IAM solutions often assume that existing security groups and roles align with the underlying data structures that contain an organization’s data. Unfortunately, even though users might be in correct groups, they inevitability end up with far more access to data than is necessary or relevant to their jobs.

Sure, IAM solutions have complete lists of users and groups from directory services. However, one of the biggest challenges is mapping these users and groups to access control lists (ACLs) which control access to the data itself.

What’s more, IAM doesn’t identify which users are accessing which files and more importantly, it doesn’t identify which folders and files contain sensitive data.

How Data Access Really Works

ACLs control access to data.

What this means is that if a file object has an ACL that contains (Allen: read, write; Jared: read), this would give Allen permission to read and write data in the file and Jared would only be able to read it.

The best practice to manage access is through groups.  A typical ACL will consist of groups with various rights – for example, the ACL will have one group which as read permissions, and another group that has read & write permission.  Then, in order to grant access, simply add users to the groups that correspond to the desired access.

In theory, it seems simple enough to control and maintain access to data by keeping the correct users in the right group, and right groups on the ACLs.

Here’s what happens in reality: links between users, groups and the data get broken over time.  Often, users are added to groups and are never removed.  ACLs are modified to include groups that aren’t related to the data the ACL was originally intended to protect – or even worse, groups are added to other groups, further complicating the situation, and cause a wider ripple effect.

In order to manage data access properly, it’s vital to ensure that security groups are actually granting access to the right sets of data.  Having that link is key to avoiding unintended consequences – like adding a user to an innocuous seeming group, but through group nesting, actually allows access to critical, or sensitive business data.

It’s All in the Details

In short, we’ve detailed how intricate the practical details are in managing data access. Yes, user provisioning access to IT resources is a form of access management and very important to security, but it’s not a proper form of data access nor is it data security.

Get the latest security news in your inbox.