Cloud data storage, multiple business applications, BYOD, home office – Applying appropriate and sufficient controls for managing user accounts and access rights address one of the most significant challenges in today’s enterprise’s IT environment. Intentional or accidental misuse of IT driven business processes by (formerly) authorized users may have a severe impact on the enterprise and its competitive position. As we have pointed out before on this blog, insiders continue to be a major source of data breaches. The following two examples illustrate an organization’s risk arising from a lack of Identity and Access Management (IAM).
Access rights for employees made redundant are not revoked quickly enough, incompletely or even not at all. Long-term employees tend to collect access rights throughout their career. When assigned a new job, all processes for assigning access rights in their new jobs are performed quickly. But only in a few cases, obsolete access rights are revoked as appropriate with the new role. We noted that the same often happens with trainees that move quickly through multiple departments of an organization.
Vendors of IAM solutions tend to promise that their product will solve all relevant challenges in maintaining access rights. Unfortunately, this is half of the truth – let’s have a quick look on drivers for successful IAM programs.
1. Main driver for IAM: Compliance with regulatory requirements
For the last years, auditors – in particular for financial institutions – have found IAM processes a fruitful object of examination. Yearly audit reports often show various findings concerning access rights. Regulatory catalogs make auditor’s work concerning IAM easy – by raising the requirements from one release to the next, becoming more and more challenging to fulfill. Regulations either directly name requirements explicitly or refer to a standard or norms that do so (e.g. ISO 27001/2).
Either way there are various challenges organizations need to fulfill, e.g. to provide auditors witch evidence for…
- Appropriate request & approval processes for granting access rights
- Access right withdrawal on resignation or termination of employment or even on job change
- Enforcement of separation of duties (e.g. separation of stock trading front office and back office)
- Periodical verification of granted access rights versus an individual’s duties
- Proper handling and monitoring of enhanced privilege usage
- A documented baseline for IAM processes and authorization concepts
2. Main Objective: Processes Rather than Technology
To tackle the challenges IAM poses, we need to look on business processes for maintaining users and their access rights. This is what any IAM program should start with – a pre-project for analyzing current processes and procedures and discover latent and obvious weaknesses and pain points.
Then redesign IAM processes to ensure complete transparency and auditability. This automatically leads to requirements for the supporting technical infrastructure that can be used for selection of an IAM vendor and product.
Be aware if your IT organization requests procurement of a tool prior to looking at IAM processes.
3. Secondary Objective: Security, Cost Reduction, User Friendliness
When looking at IAM, there are further drivers for setting up an IAM program. By fixing IAM processes, information security is significantly improved as users have only access to information and IT functionality they require for their jobs. Actually this is why audit puts such focus on IAM.
Furthermore introducing proper IAM processes – and possibly a supporting IAM system – can significantly reduce costs for IT operations by providing user self-services and automation of regular tasks. This not only significantly lowers costs for service desk and hands-on IT administration but also puts user experience to a comfortable level. Often users face various procedures for requesting access rights for different application; managers have almost no tool to review on access rights of their teams; administrators have to document request procedures manually by using mail archives or ring binders (yes, I do mean paper based procedures!). This all can be significantly and quickly improved by introducing IAM systems.
4. Scoping of an IAM program: Start Small, Think Big
Although this article just showed how IAM solutions could be the answer to various challenges, we need to make sure the IAM program is set up properly. Most important is to set the right priorities for your organization’s IAM program and thus deriving the scope for the first project and a pipeline for the succeeding ones.
Business process analysis and redesign will show you the most important requirements to focus on first – this should define the scope for the initial project. Depending on your organization, the scope could be one of the following (or something completely different):
- User self-service for requesting access rights for a set of pilot application systems
- Automation of on-boarding and off-boarding processes
- Setting up periodical recertification processes for business critical applications
- Introducing functions for temporarily granting privileged access rights and monitoring their usage
- Federation of access rights of your partner web portal to business partners
or even only
- Preparatory work to get ready for introducing IAM solutions (e.g. housekeeping activities, preparing documentation for authorization concepts, create a business role model for the corporation, etc.)
A common mistake is to put too much scope in the first project, thus overloading it with complexity and dependencies. Best advice is to have a complete view on the target solution, but to start with a manageable amount of work. The first project will be complex anyway as it will need to introduce various new processes and technical interfaces.
5. Ensure Sufficient Funding and Management Support
Neither IAM product prices nor costs for running IAM programs are negligible. But in most cases, IAM programs will show a positive ROI after few years – even by only honoring direct effects such as reduced help desk and administration costs. Taken risk reduction into account – as in ROSI calculations – the return comes even quicker. Strict budget constraints for an IAM program most often lead to the decision to focus on regulatory requirements and to postpone other targets. This often leads to removing IAM functionality from the scope that would help to reduce operational costs (such as user self-service), thus minimizing ROI.
Management support for your IAM program management also is a critical support factor. Since the IAM program will have to negotiate changes with various business units in your organization they will require competencies and management support to do so. Change management induced by IAM programs in particular needs to address non-IT sections such as HR and business application owners, but also service desks, IT staff and various other projects.