Every company that has a computer in it has an Identity Management program whether they realize it or not. Identity Management is NOT a tool, technology, script, or web site. It’s a collection of business processes, technical processes to create accounts and grant security access to business resources.
Create accounts, set passwords, determine the access they need, remove the access and/or delete the account when they person associated to that account leaves the company. In the simplest of terms that’s Identity Management.
Technology helps with bringing those processes, audit requirements, accountability and efficiency under control. However, there are key challenges that should help you realize that it may be time for you to prioritize your Identity Management efforts.
Back log of requests for access rights
Most likely your organization has a central group that receives access requests and carries them out. Either your Help Desk or an IT group, maybe all of the above is involved. But over time those requests are just that requests, are they all valid? Anyone can request or ask for something but it doesn’t mean that it will be approved or it’s authorized to grant that access. Do you check for approvals, policy violations if you grant the access or just grant it because the manager requested it?
This is the first indication your business needs to address Identity Management efforts, your requests are overwhelming someone.
Complicated policies for granting access
If your access granters are centralized for all applications are they also the premiere experts on all the applications’ security models? Are any of the access grants manual inserts in to databases, files or ACLs directly? Does the application have a highly detailed matrix of all the access possibilities for a non-expert to be able to understand and follow?
The more manual an application is to grant complex access the high the rate of error exists. The more errors that occur, that you are made aware of, the more delays happen. What will happen through this is the granters will begin to gravitate toward the ‘copy what they have’ approach. Instead of focusing on least privilege they will copy a user and inadvertently give the user more access than they need. That then exposes more risk and holes if users are given more than that need.
Unclear request forms
When you have a manual Word doc for requesting access you are opening the door for a person to be sloppy, fast, and inaccurate. Manual request forms create a nightmare for access requests when you try to audit them, report on them, research them and process them. Manual forms can come in incomplete, incorrect, and can confuse the people filling them out. The direction needs to be a business policy based, automated request system that follows the business’ rules, check compliance, and only allows the proper authorized people to request it in the first place.
Inaccurate audit trails
Outside of a centralized Identity Management system trying to audit on who, what, where, when and if it falls within the policies will take you weeks if not months each time you try with incomplete and unreliable results. Auditing, compliance, reporting is the sole reason to focus on your Identity Management. The business must know who is in the systems, what they have access to, how they got it and can control removing it quickly. For an auditor it’s not so much what you know, but what you don’t know but should.
It’s very, very easy to create and account and give it access to something. What companies are very bad at is removing all that access when the person leaves. The reason being that most businesses do not have a centralized catalog of an identity profile to all the access it has. So how can you confidently say that you can remove all the access for a specific account when you don’t know? Those profiles and accounts sit there and leaves another point of potential exploitation.
Bypassing the process
This is my biggest pet peeve. Businesses that cannot manage themselves. Managers, VPs, executives that allow bypassing of business processes under the umbrella user inconvenience, time restraints and every other excuse other than managing employees to follow the business policies. Manual processes beg for people to side step it. “I don’t have to fill this out, I am a VP, Service Desk will give me what I want.” “They won’t use this new system they will just do it the old way.” My response to that “manager” is to tell them to step up and manager their direct reports to comply to the business policy and processes and reflect it in their individual reviews. More and more I am seeing managers not reviewing business process compliance when reviewing an employee. The core of your business it to protect the business and Identity Management is all about knowing the who and the what. The who, employee or not, is your biggest risk in any company. Why not prioritize it?
Identity Management is the world we live in. With social media integration into the business world it is becoming more and more critical to grasp on managing those identities. But in order to do that the business needs to realize that the technology will not solve this problem for them, the business will have to also improve their internal management practices to get everyone in a mindset to be compliant to processes.
One breach of trust is all it will take to turn a business upside down and no auditor, regulator, or law enforcement organization will listen to the excuse that an employee didn’t like the process.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.