Introduction
Just like my last two posts, today I’ll be going through Tata’s job simulation, also available through theforage.com. Where the Mastercard simulator focused on Phishing, and the Deloitte one had a focus on network logs, this simulator is more focused on Identity and Access Management.
I’ve not heard of Tata before. After a quick search I found out they’re an Indian multinational. They look like a Tesla competitor based on how their EVs look. What the company does doesn’t really matter. A phishing email is a phishing email at the end of the day. We’ll not be looking at Phishing today though (Unfortunately), time to delve into IAM.
IAM is, personally, pretty boring of a topic. Analysing phishing emails and reviewing network logs are a lot more interesting than designing and implementing access management. Maybe someone reading this enjoys IAM, and that’s great! For me though It’s one of the less interesting topics.
Enough on my thoughts on IAM - Let’s see what this simulation has for us. Here’s the overview:
You are an identity and access management (IAM) developer, a key role within the cybersercurity team at Tata Consultancy Services (TCS). Your primary responsibilities include assessing IAM readiness, designing tailored solutions, and planning the implementation of an IAM platform for TechCorp Enterprises, a global technology conglomerate.
Your Goal: Gain a strong grasp of IAM concepts and their significance in modern enterprises, ensuring you can effectively contribute to TechCorp’s security objectives. Evaluate TechCorp’s readiness for IAM implementation. Craft customised IAM solutions for TechCorp, aligning them with its business processes and objectives to enhance security. Plan a comprehensive project for implementing an IAM platform at TechCorp, addressing integration challenges and ensuring secure access to digital resources.
We get a list of our team members consisting of; Me, an IAM architect who is our manager, a fellow team member who is an IAM business analyst, and another IAM engineer team member.
The project briefing comes in the form of an email which I think is quite cute. It makes it feel less like a task on a third party website and more like a simulation of a job.
From: priya@tcs.com
To: forager@tcs.com; rajesh@tcs.com; ankit@tcs.com
Subject: IAM Project Brief - TechCorp Enterprises
--
Dear Team,
I trust this message finds you well. I'm pleased to let you know about our next identity and access management (IAM) project with TechCorp Enterprises. I will be leading this project and look forward to working with you. Let's delve into the essentials:
TechCorp Enterprises, a global technology giant, understands the growing importance of IAM in safeguarding its digital infrastructure. The ever-evolving digital landscape and rising security threats demand proactive measures.
TechCorp's leadership is under immense pressure to strengthen cybersecurity as recent industry data breaches have raised concerns. Our team is tasked with assessing IAM readiness, designing tailored solutions, and planning IAM platform implementation.
Project requirements and outcomes:
IAM readiness assessment: Evaluate TechCorp's IAM readiness.
IAM solution design: Craft customised IAM solutions.
IAM platform implementation plan: Plan the IAM platform implementation, ensuring secure access.
I trust the team is eager to take on this challenge and is well-prepared to leverage our expertise to enhance TechCorp's cybersecurity.
I'll send additional information soon.
Best regards,
Priya
IAM Architect
Tata Consultancy Services (TCS)
It’s quite a nice way of simulating what a project would feel like in the real world. All the previous information could have been given in this format and I would’ve been more engaged than when I read about IAM initially.
We get the first multiple-choice questions of this simulator now:
What is the primary goal of the IAM project with TechCorp Enterprises?
and
Who is leading the IAM project for TechCorp Enterprises?
Both of these have pretty answers if you just read the email.
Task One
In this task we’ll be looking at the fundamental concepts of IAM.
I have to assume theforage ask companies to film videos about each task - Because we get another one here with someone from Tata giving a nice overview.
The next few parts of this task give a lengthy overview of IAM and it’s importance in modern enterprises. I’m not going to quote it all here. If you want to read up on it you can just register and do it yourself. I mentioned in my SC-200 review that my next exam was going to be the CC of which 22% of the exam questions are about Access Control Concepts.
IAM isn’t the most interesting part of defensive security but it is important. My eyes might glaze over when I study IAM and go through the concepts, but to all those people who get a kick out of it - Go you.
Next in this task we get given some case-studies for practical uses of IAM. The first is about healthcare data and how IAM can be implemented at a hospital where everyone is aparently looking at patient data. The second case-study focuses on a financial institution where, much like the hospital, they had ‘an escalating wave of insider fraud and an ever-growing specter of data breaches’.
The eight questions for this task are:
What is the primary role of IAM in cybersecurity?
The answer for this one is quite simple given that the three other answers have nothing to do with IAM.
Which IAM component enforces strict control over user access based on their roles and responsibilities?
Once again, if you’ve studied IAM for even a few minutes you’ll know that this is RBAC.
What does MFA require for user authentication?
Another fairly simple one to answer if you know what the first two letters stand for.
In which industry did the first case study demonstrate the use of IAM to prevent data breaches?
It’s here where blogging about this helped a bit. I like to write these posts as I’m going through tasks so it was pretty simple to read back and refresh myself on what the first case study was about.
What was the primary security challenge faced in the financial institution case study?
Again - Writing this post helped quite a bit in remembering the concerning amount of fraud and breaches going on at this fake bank.
Which IAM component not only enforces strict access control based on roles but also maintains detailed records of user activities and access attempts?
The answer for this question was ‘Access Governance’. I didn’t get this one right away. The reason given was quite helpful - ‘Access governance enforces strict access control based on roles and responsibilities and maintains detailed audit records of user activities and access attempts, making it crucial for security monitoring.’
In the healthcare case study, implementing IAM resulted in a significant reduction in what specific type of incident related to unauthorised access?
Reading the case-study gives us this answer quite clearly.
In the financial institution case study, how did IAM primarily enhance security to prevent insider fraud and data breaches in the financial institution?
The options given for this question make this easy enough to answer. Reading the case study does help though.
That’s the first task complete. Onto task two!
Task two: IAM strategy assessment
Once again at the beginning of this task we get a nice little video from the team at Tata. This task consists of assessing a hypothetical scenario for a business to determine their readiness for IAM, and developing a checklist for evaluating IAM strategy and readiness.
There are two questions for this task ‘What is the primary goal when evaluating an enterprise’s IAM strategy?’ and ‘Which of the following is a key consideration when implementing IAM in different organisational contexts?’. These are both theoretical and don’t require much research. If you know IAM basics then you’re good to go.
We get another nice email styled hook too:
From: ravi@tcs.com
To: forager@tcs.com
Subject: TechCorp Brief
–
Greetings, team!
As we evaluate TechCorp Enterprises' readiness for IAM implementation, we need to set the stage with a clear understanding of our client's context. TechCorp is known for pushing the boundaries of technology innovation. They operate in a fast-paced industry and consistently roll out groundbreaking solutions and products that change the game.
Organisational profile
Industry: Information technology and services
Global reach: Operating in 100+ countries
Employee count: 150,000+
Digital assets: A plethora of proprietary software, systems, and data repositories
TechCorp has embarked on a comprehensive digital transformation journey to maintain its competitive edge. This transformation is driven by the need to deliver innovative solutions faster, improve customer experiences, and harness the power of data.
Challenges and aspirations
Security concerns: With its expansive digital footprint, TechCorp is increasingly concerned about data breaches and cyber threats. Ensuring the security of their digital assets is a top priority.
User experience: TechCorp aims to provide a seamless and secure user experience for employees, partners, and customers accessing its digital platforms.
Operational efficiency: Streamlining access management and minimising manual processes are key aspirations to improve operational efficiency.
IAM strategy: TechCorp has an existing IAM strategy in place, but it needs a thorough assessment to ensure it aligns with the organisation's evolving needs. The strategy should address challenges, enhance security, and enable a smooth digital transformation.
IAM strategy focus areas
User lifecycle management
Access control mechanisms
Compliance and governance
Integration with existing systems
Cloud services integration
Enhanced user experience
Forager, can you please take a look at this information and provide a summary of the key considerations and steps we’ll need to take in assessing TechCorp’s readiness, along with a checklist?
Please let me know if you have any questions.
Thanks,
Ravi
We then need to send a reply summarizing the assessment that Ravi has given us, along with a comprehensive plan or checklist for evaluating the IAM strategy.
Task three: Crafting custom IAM solutions
Once again we get another video with the task covering scenarios that IAM can be used to streamline business operations, and creating an actual IAM solution.
There are two topics that we need to cover in this task. The lifecycle management of the hypothetical company, and strengthening the access control mechanisms. The solutions we provide need to adhere to the principle of least privilege, RBAC, User lifecycle management, and auditing needs.
Then there are two more questions - ‘Which IAM principle emphasises providing users with the minimum level of access necessary to perform their job functions?’ and ‘What is a key strategy for aligning IAM with an organisation’s business processes and objectives?’. Once again these are both easily answered if you know a bit about IAM.
We then need to prepare a PDF outlining our strategy and confirming how we will be implementing the IAM solutions. You don’t actually have to submit a proper PDF, you just need to upload… any PDF.
Task four: Platform integration
In this task we will address integration challenges and ensure secure access to enterprise resources for the hypothetical business, and create a PowerPoint presentation outlining the detailed implementation plan.
Like with the previous task I assume that the powerpoint requirement will just be to upload something with a .pptx extension.
Before the powerpoint we get these two questions; ‘What is one of the key considerations when implementing an IAM platform?’, and ‘Which of the following is a common challenge when integrating applications with IAM?’.
Conclusion
That’s that!
I mentioned that IAM isn’t the most interesting thing to me. While this simulator didn’t change my mind too much it did make it easy to understand the topics. I’m not going to pretend like it held my focus the whole time, but IAM is an important topic to cover when studying for the basics.