Identity Governance and Administration (IGA) is a complex and growing set of solutions that are put in place to help your organization stay compliant with government or industry regulations and, perhaps more importantly, help secure your organization.
However, with every new solution, there are a host of new problems. In working with our IGA customers, we keep seeing certain problems emerge so, in this blog, we will address the top three struggles of an IGA solution that we see most often.
1. Managing Third-Party Contractors
It’s the Wild West when it comes to managing access rights for contractors. Employees are much easier to manage because they are managed through your HR team. You know when a user leaves so you know when to remove their access. However, with contractors, there is rarely a repository of users which makes it twice as difficult to manage their access. They leave and no one processes their termination or disables their accounts. This results in a lot of orphaned accounts which, as we learned last time, is a big security risk.
How do you solve this? Contractors and other third-party users rarely get put into your human resources solutions because they are not full-time employees. This can cause you to lose track of their access to your network. If you don’t have a record of them leaving the company, do you have a reminder to correctly de-provision them? You can solve this issue by putting them into your IGA solution instead. Not only will this solve the issue of visibility but it will also remind you, based on your governance rules, to re-certify them which will keep their access current and avoid the chance of orphaned accounts.
2. Length of Time for Access Reviews
Of course, you want to do more access reviews. The more you review the information, the more chances you have to ensure that everyone has least privilege access. However, most organizations are only doing the required annual access review because of how time-consuming their current process is. The process includes getting data from system owners, splitting the data up into a spreadsheet for each reviewer, the reviewer goes through the spreadsheet making decisions, and then finally someone has to put all of the spreadsheets back together and put tickets in for the ones where the access should be removed. To further complicate things, you have managers who don’t have the time or energy for this step so they just approve everything. This rubber stamping process gives you inaccurate reviews leading to increased security gaps.
How do you solve this? Make things easier for your reviewers. In a previous blog, Security So Easy a Sales Guy Can Do It, we talk about this very topic. Lengthy spreadsheets and the growing number of entitlements only stretches the certification process and leads to certification fatigue and rubber stamping. Give your users the tools necessary to do their job correctly and more efficiently. Not only will you receive a lower number of inaccuracies because of the lack of rubber stamping but you will see these reports take less time so that you can conduct more access reviews and continue to enforce least privilege access.
3. Visibility into Access
Let’s face it, people don’t have an issue getting access, but losing it is another story. Users that are with an organization for a very long time and change jobs over there employment never lose any of their previous access. So, most of your tenured employees have way too much access. To exacerbate the problem, most organizations rely on mirroring existing user’s access for new users.Now the new user is way over privileged. How do you see these over privileged accounts? Or the orphaned, nested or hidden accounts?
How do you solve this? The traditional approach has you worrying if the roles you created were provisioned correctly in the first place. Or you have to search through spreadsheets and rely on managers, who don’t have security as their top goal, to reinforce certifications. Solving this issue is done through visual grouping. Having a system that allows automatic grouping of like entitlements. This will show you roles overlaid onto current access as well as show you outliers which fall outside of the role they are provisioned for. This will help you quickly pick out the users with the incorrect access and speed up de-provisioning them.
While these are only three problems, hopefully, you now have three less to solve for your organization. If you don’t have an IGA solution and are looking to start, let us help.