In an increasing connected world, Identity and Access Management (IAM) is more important than ever to ensure that the right users are given access to key organizational data and resources, while ensuring efficiency and compliance.
Most companies have the same issues due to the weakness in Identity Management systems:
- The 80% of popular retail found that 4 out of 5 users have unnecessary access (overentitled users)
- The 30% or more of all accounts are orphan accounts (potential threats).
So, many companies have started using products helping in the Identity Lifecycle Management. All identities need to be created, maintained over time (for example, job title changes when you get promoted) and retired when people leave your organization. It is necessary a team of people to maintain all the changes to identities and to gather the right accesses to each user.
It seems easy to manage this on a small scale, but it’s very challenging to do on a large scale, so Identity Management products have been implemented to make it easier to do.
An Identity Management solution implements an automatic lifecycle process for all users in order to reduce the manually work and avoid potential threats.
The set of functionalities of these solutions includes administration of accounts, passwords, access requests, access provisioning and entitlement management.
In order to manage the access control, it’s necessary to preserve the communicability between Technical and Business Managers. The lack of communicability can lead to confusion, overentitled users and security vulnerabilities. The managers can handle entitlements, so they have to understand permissions language (it should be a business language). This issue could be solved providing each permission with a meaningful description.
Furthermore, the definition of roles as boxes containing basic permissions helps the companies in the identity management reducing the number of entitlements have to be assigned to users and controlled by Business Managers.
The Identity Management is the first step of the “Identity and Governance Evolution”. Its set of functionalities has expanded including some features that characterize the second step: The Identity Governance.
It is the evolution of the Identity Management and it includes a new concept of risk (based on Segregation of Duties), access certification, role engineering, role management, reporting and analytics.
The new functionalities included in the Governance focus on:
- The access certification (access review): an activity performed by the Line of Business (LoB). So, the LoB managers can take part in the access management. They have to check if all permissions assigned to users are still needed. It allows companies to avoid user unnecessary accesses, reducing security vulnerabilities and potential threats.
- These solutions are particularly aware about the risk linked to the users. A risk is the probability of a vulnerability being exploited times the cost/impact of the consequences. In the Governance solutions the risk is linked to the Segregation of Duties (SoD): a user allows to perform two (or more) activities in conflict each other (for example, request purchase orders and approve purchase requests).
- The roles aren’t anymore considered fixed containers, it was introduced the role lifecycle concept to manage the building and the “cleaning” of the entire role system. The Identity Governance system provides features for helping you in the building process: role discovery and engineering to figure out what accesses should be included within a role and which is the best way to set up the role system.
The “Identity and Governance Evolution” foresees a third step (Analytic step) to study the user behavior in order to improve the security and the Identity Management system of all the companies.
Author: Serena Mancini