Poor identity management regularly leads to data theft. The perpetrators get hold of access data or pretend to be someone else. After all, whenever you log in to a system, the key question is always, “Are you who you claim to be?”
Helpdesk workers know the situation: A department head rings up and asks for a new employee to be given all necessary access rights immediately. No-one has previously given a thought to the fact the new IT employee would not only need a workstation on the first day, but also an account with access rights. At that point, everything is set up in a mad rush, and all possible access rights are assigned at the outset – possibly because the new employee’s duties are not yet clear. Subsequently, no-one thinks about adjusting these access rights, and in the end no-one knows precisely which rights were assigned, or why the employee was given them in the first place.
Assigning access rights with no controls
Just as frequently, an employee will change departments or be moved to another position. In most cases they take their access rights with them, even if they are no longer needed. And when employees leave the firm, their access rights are often not rescinded, simply because, in many cases, the administrators who should do so have not been informed about these staff changes.
These examples show that managing digital identities and user data is a major challenge for many companies. There is no overview of which rights are needed, or by whom. Over time, many companies suffer from uncontrolled proliferation because there is no coordination when the user accounts and rights are assigned. It is then a labour-intensive task to standardize and compile access data and rights that are stored in different locations.
Prevent uncontrolled proliferation with Identity and Access Management
Businesses are therefore making increasing use of systems for Identity and Access Management, or IAM for short. An “identity” is a collection of personal attributes that identify an individual person. Depending on the various tasks the employee has, numerous other roles may also be involved. A change of role, if an employee moves to another department, for example, must be accompanied by a change of access rights. IAM systems can prove very helpful in combining these actions. An IAM ensures that personal data is consistent, up-to-date and reliable. An Identity Management System requires many interfaces in a company, e.g. for Access Management, which manages access rights for portals, enables single sign-on (SSO) or manages security policies, for example.
Setting up an IAM is labour-intensive
Make no mistake, introducing an IAM is a labour-intensive undertaking. Despite what some advertising messages may convey, experts look at setting up a functioning IAM system as a long-term activity that may take several years. The first step is to analyse the processes: Who must have access, and to what? This question alone poses major challenges for most companies, but the answers are relevant for more than just access control. Departments such as HR or Accounting should not be overlooked. The trend toward teleworking as a result of Covid-19 and the associated increase in Cloud use is further exacerbating the problem. Policies – guidelines, in other words – are a fundamental component of an IAM, a password policy in particular. Linking roles with duties, responsibilities, privileges and rights to access resources constitutes a key policy element.
The need to listen to the interests and concerns of the parties in question is often forgotten. But failing to include them will lead to problems because working processes have been overlooked, for example. The affected parties will then seek their own solutions and try to bypass access restrictions or make use of their co-workers’ rights, which in turn creates new security problems – and the benefits of having an IAM are lost.
Author: Uwe Sievers
