All posts by deanwiech

Why combining access governance with authorisation management is key to identity success

In virtually every organisation or university, data is stored on multiple file servers throughout the network, often in a somewhat haphazard or random structure. Access to the data is likely just as unstructured and may put the organisation at risk by allowing employees access rights where none are required. Managing access to this unstructured data is incredibly difficult, resulting in a significant challenge when the time for an IT audit rolls around.

There are methods to bring order to this madness and maintain an audit trail, resulting in all access permissions being visible, and obtaining recommendations about how to structure and restrict access for optimal security. Software technology exists to allow for monitoring of all file actions and can maintain an audit trail of all the actions a user performs on the file server. For example, when a user modifies a file, deletes it, copies it, or moves it, a detailed record of who carried out what action in the file system and when can be made readily available.

This technology can provide an overview of all access rights, including what rights a user has or conversely, details on the users who have access rights to a particular file and how often, if ever, they exercise those rights. Finally, with the technology, it is possible to regularly collect and categorise all unstructured data and access rights per user. It is then possible to make a recommendation about what access rights should be cleaned up to keep the network structured and compliant.

Gartner estimates that more than 80 percent of business information is stored in an unstructured manner. The risks associated can be devastating if the wrong person accesses sensitive information for nefarious purposes. Authorisation management technology drastically reduces the complexity of access management protocols. Without it, it is impossible to guarantee that data is effectively secured.

Authorisation management software provides direct insight into access privileges relevant to the file system through the group memberships in Active Directory, ACLS and direct access. Likewise, it provides an audit trail of the actions that each employee has performed on what file, in which directory and at what time. Further, the technology also allows manager to determine how a user received access to a folder or file – was it through a Active Directory group or via some other method that may not be appropriate.

Authorisation management is really the latest component of the complete access governance, or identity and access management, umbrella. In regards to security, automating operations and managing compliance and audits through access governance is now more vital to an organisation’s survival. In a sense, the visibility provided into an organisation through identity management solutions simply is not there across all systems and the authorisation management component provides that visibility.

You can easily spot accounts where cases excessive access, or access creep have occurred and have the information needed  to resolve potential issues. IT leaders or departmental can perform periodic account reviews and to make informed decisions about who should retain, lose or be granted access to applications or data sets. Access governance also shows you an overview of every system available, and then the information can be drilled down to the granular level.

In so doing, you can review accounts on particular systems or applications and you can examine individual employees and review their access to various resources. Access governance protocol takes on stale accounts, orphan accounts, and shared accounts with no one individual that can take ownership and responsibility for their use.

Access governance, when enhanced with authorisation management, allows IT leaders to conduct on demand security audits to ensure the network resources are only accessible by people with a bonafide reason to do so.  As access governance and authorisation management continue to become integrated, organisations gain the ability to easily peer into every aspect of their network operation, creating unprecedented visibility to protect company data and defend it from the threat of outside hackers or employees with less than honourable intentions.

Access governance and the cloud: Security and organisational insight are the bottom line

How does access governance apply to the cloud? Well, while the cloud has been established as a standard for many organisations, access and governance to manage such solutions has not yet become a standard solution.

Access governance helps organisations of all sizes in every industry by ensuring that each employee has the correct access to the systems that they need to perform their jobs while keeping the company’s data and network secure. Access governance specifically allows organisational leaders to easily manage accounts and access, and is put in place to ensure that access is correct. This works by setting up a model of precisely the access rights for each role in the organisation, for every employee no matter where they may be based.

To provide a bit more detail on the meaning of this, access rights are created for specific roles in each relevant department. Access rights should be unique to the individual, not copied and pasted from another employee with a similar role or job function (this happens a lot in organisations where many employees perform much of the same work, like in manufacturing and healthcare, but should be avoided).

Checks and balances in access rights

Access governance means you can correct or populate access rights according to a model that you have established for your departments or teams. Again, individual access rights are important and an access matrix may prove to be a valuable tool to use when determining who needs access to which systems when for which role. Reconciliation is another way to ensure access rights. Reconciliation compares how access rights are set up to be in the model to how they actually are, and allows you to create a report on any differences found. Insomuch, any record or access point that is not accurate can then be easily corrected.

Attestation is still another form of checking access and helps verify all information. A report is forwarded to managers of a department for verification to ensure all users and their rights are accounted for and that everything in the log is correct. The manager verifies access and either marks rights for deletion, immediate change or maintains current access. After examining all of the rights, the manager must give final approval for the proposed set of changes to ensure that everything is correct.

During the course of an employee’s employment, it is an extremely common occurrence for the employee to receive too many rights, or to acquire access rights while working on projects. But these rights are often never revoked once they have been assigned. Access is frequently overlooked or not considered important enough to take away. What if one of your employees have access to a solution many of your other employees are assigned to use? The access governance concept allows you to provide and monitor access across the entire organization, from those using in-house solutions and those using cloud resources to access information.

Organisational access can be easily monitored through the use of access governance technology. Here’s why this is important: The typical access process goes a little something like this – a new employee is hired in the human resources department as a senior recruiter and needs accounts and resources created so he or she can begin work. The employee then automatically receives a Coupa cloud account, for example, PeopleSoft access and the ability to open the department’s shared drive and an email address. At this point, this employee should be ready for work.

Then, for those that employ access governance technology to monitor the goings on in their organisation, that process looks a little like this: Rules are created to review access rights of employees in each respective manager’s department. A review is conducted of who has what and why. Same goes for employees who are added to roles or newly hired to the organisation. Then, if access is no longer required following the completion of a project or a change in roles, the manager or other departmental leader can tag the access granted to be revoked and ensure that it is done automatically right away. This eliminates the need for a multi-level manual processes simply by the click of a button. All access for the employee to a specific system, or all systems, can be revoked. That’s the added value of a security measure. 

Why the cloud needs access governance

As more employees take to remote locations as their work environments, so do the number of users operating cloud applications. Access governance strategies can be employed to secure these applications for the employees not working in the physical corporate office or organisational facility.

Business leaders have many types of applications to manage and many roles for employees because of how teams are created within current organisations. Employees may be based abroad, working from home, traveling or just working offsite, all of which can effect access governance and technology use and access within across each of these situations.

Organisational leaders who invest in the cloud and building their companies through it may wish to add access governance technology to improve the security of their information while allowing their employees the opportunity to remain productive wherever they may be. Plus, and this is the bottom line of any security professional, you’ll be able to see who is doing what when and where with your information no matter where they happen to be. 

Access governance and the cloud: Security and organisational insight are the bottom line

How does access governance apply to the cloud? Well, while the cloud has been established as a standard for many organisations, access and governance to manage such solutions has not yet become a standard solution.

Access governance helps organisations of all sizes in every industry by ensuring that each employee has the correct access to the systems that they need to perform their jobs while keeping the company’s data and network secure. Access governance specifically allows organisational leaders to easily manage accounts and access, and is put in place to ensure that access is correct. This works by setting up a model of precisely the access rights for each role in the organisation, for every employee no matter where they may be based.

To provide a bit more detail on the meaning of this, access rights are created for specific roles in each relevant department. Access rights should be unique to the individual, not copied and pasted from another employee with a similar role or job function (this happens a lot in organisations where many employees perform much of the same work, like in manufacturing and healthcare, but should be avoided).

Checks and balances in access rights

Access governance means you can correct or populate access rights according to a model that you have established for your departments or teams. Again, individual access rights are important and an access matrix may prove to be a valuable tool to use when determining who needs access to which systems when for which role. Reconciliation is another way to ensure access rights. Reconciliation compares how access rights are set up to be in the model to how they actually are, and allows you to create a report on any differences found. Insomuch, any record or access point that is not accurate can then be easily corrected.

Attestation is still another form of checking access and helps verify all information. A report is forwarded to managers of a department for verification to ensure all users and their rights are accounted for and that everything in the log is correct. The manager verifies access and either marks rights for deletion, immediate change or maintains current access. After examining all of the rights, the manager must give final approval for the proposed set of changes to ensure that everything is correct.

During the course of an employee’s employment, it is an extremely common occurrence for the employee to receive too many rights, or to acquire access rights while working on projects. But these rights are often never revoked once they have been assigned. Access is frequently overlooked or not considered important enough to take away. What if one of your employees have access to a solution many of your other employees are assigned to use? The access governance concept allows you to provide and monitor access across the entire organization, from those using in-house solutions and those using cloud resources to access information.

Organisational access can be easily monitored through the use of access governance technology. Here’s why this is important: The typical access process goes a little something like this – a new employee is hired in the human resources department as a senior recruiter and needs accounts and resources created so he or she can begin work. The employee then automatically receives a Coupa cloud account, for example, PeopleSoft access and the ability to open the department’s shared drive and an email address. At this point, this employee should be ready for work.

Then, for those that employ access governance technology to monitor the goings on in their organisation, that process looks a little like this: Rules are created to review access rights of employees in each respective manager’s department. A review is conducted of who has what and why. Same goes for employees who are added to roles or newly hired to the organisation. Then, if access is no longer required following the completion of a project or a change in roles, the manager or other departmental leader can tag the access granted to be revoked and ensure that it is done automatically right away. This eliminates the need for a multi-level manual processes simply by the click of a button. All access for the employee to a specific system, or all systems, can be revoked. That’s the added value of a security measure. 

Why the cloud needs access governance

As more employees take to remote locations as their work environments, so do the number of users operating cloud applications. Access governance strategies can be employed to secure these applications for the employees not working in the physical corporate office or organisational facility.

Business leaders have many types of applications to manage and many roles for employees because of how teams are created within current organisations. Employees may be based abroad, working from home, traveling or just working offsite, all of which can effect access governance and technology use and access within across each of these situations.

Organisational leaders who invest in the cloud and building their companies through it may wish to add access governance technology to improve the security of their information while allowing their employees the opportunity to remain productive wherever they may be. Plus, and this is the bottom line of any security professional, you’ll be able to see who is doing what when and where with your information no matter where they happen to be. 

Access and identity governance in the cloud: Problems and solutions

(c)iStock.com/yipengge

There has been a consistent growth and increase in cloud application usage over the past five years as organisational IT leaders have realised the benefits of implementing them. This is also, in part, because of the fact that there is a major increase in remote employees, who need applications in the cloud to be able to work. Cloud applications have many obvious benefits to an organisation, such as improving efficiency, reducing costs and improving security.

Once these applications are implemented, though, organisational leaders often soon realise that managing accounts for cloud applications can be a headache. Just as with in-house applications, account admins need to be able to efficiently provision, change and disable accounts, as well as manage passwords and ensure the network is secure.

How is cloud account management different than managing in-house applications? Often these two different type of applications need to be handled differently since they have different requirements. What may work with an in-house application needs to be altered to work with a cloud application. So, what are some of the issues that organisations have with managing cloud applications, and how can they be resolved?

Manual actions

Manual account management in any type of application is time consuming. Admins must manually enter data and create accounts in each application for a new user, which can also lead to errors. For cloud applications, providers often try to mitigate this issue by offering a web-browser that managers can use to control access to the cloud application directly. However, provisioning is rarely automatic, which necessitates a sequence of manual operations. This means that the admin still must manually create each account and access rights for a new user.

While it is a headache for the account admin, it is equally as frustrating for the end user. For example, think of a remote employee, who needs accounts created for them. The process of doing so often takes several days to manually create all appropriate accounts, or to add additional access rights. Without the proper accounts or access rights the employee simply cannot begin work, and remains unproductive.

Security

When an organisation begins to use several different cloud applications it becomes difficult to ensure that the correct people have the proper access to them. Users may have access to systems and applications that they should not, leaving the company’s data unsecured. Over time, employees are often granted access for a project, for example, and the rights are never revoked.

Additionally, it needs to be guaranteed that cloud application access is disabled once an employee leaves the organisation. This step is often overlooked since a manager needs to manually disable the employee in each application that they have access to.

Naming and password conventions

Conventions governing naming standards and passwords are often inconsistent between network and cloud applications, making it an issue. In the network, a user ID might be based on the log-in name, and in the cloud it might be the e-mail address. This complicates exchanging user account details between the environments.

This is also an issue for passwords. When extremely complex passwords are required in the corporate network, cloud applications might not be able to handle this type of password. The possibility also exists that the cloud application requires a different duration for password expiration than within the corporate network.

Cloud management solutions

These are just some of the reasons why the organisation needs a solution that will work in house as well as with cloud applications seamlessly. As the identity and access management (IAM) industry grows, it is apparent how helpful these solutions can be for organisations that use cloud applications. They allow managers or account admins to easily manage cloud applications for employees throughout the organisation.

IAM solutions that allow for automated account management can drastically reduce the need for manual actions. Many solutions that work with in-house applications also can be set up to work seamlessly with cloud applications. This allows an HR employee or manager who is creating accounts for a new employee to easily check off which accounts need to be created for both in-house and cloud applications and the accounts will automatically be provisioned in near real time. This process allows for accounts to be created quickly and easily, so that end users don’t need to wait around for the access that they need. This also allows a manager to easily disable the accounts of an employee who has left the organisation, which ensures security of the network and data. Admins simply disable the user account in the solution and all connected accounts are automatically disabled.

To handle additional security issues, IAM solutions allow for many different resolutions. A manager can first easily generate a report that shows exactly who has access to what, as well as any changes that they are making in that system. Many solutions also support workflow management. With workflow management and self-service, employees and managers themselves can request, check and approve facilities without any IT intervention. For example, an employee may request access to an application, a project or to view reports. The approval process is part of a structured workflow. The manager can authorise the request and it can be implemented immediately in the network, or they deny the request and the employee will not receive access. This not only dramatically improves efficiency, but it assists with security. When an employee is requesting additional access or a new account it is ensured that the correct people are providing the permission.

To handle the multiple different naming and password conventions, an automated solution can be helpful as well. IAM solutions can enforce a standard naming convention across all applications while allowing for uniqueness when more than one employee has the same name. Additionally, a single sign-on solution can mitigate the password complexity issues by using a single set of credentials to log in and automatically authenticate the user each time they log into the application. Further, an SSO application can also routinely reset the password in the background, or prompt the user to do so, when expiration occurs.

Conclusion

Though very beneficial, cloud applications can also present many account and password management issues for companies of every size. IAM solutions have evolved over the years and now allow organisations to seamlessly manage both in-house applications, as well as any cloud applications that the organisation may want to implement. This allows the organisation to get all the benefits of using cloud applications without having to deal with the many management and password headaches.