Part 2 of the Improving Your Security-Efficiency Balance Series:
One of the primary challenges organizations wrestle with in identity governance is how to achieve the right balance in their company between security and efficiency. In Part 1 of the Improving Your Security-Efficiency Balance Series, we examined the unique balancing act organizations face when it comes to user access. In this blog, we will examine practical ways you can create this balance to ensure access is only given to those users who absolutely need it. Let’s take a look at six key ways to help you reach a practical balance between these priorities, so you can enable access that is necessary for your organization to remain competitive in today’s business environment and be confident you are managing access risks appropriately. Striking the right balance ultimately comes down to adopting a comprehensive, strategic, and intelligent approach to identity governance and administration in your organization.
1) Automate Provisioning Around the User Lifecycle
One way to increase the balance between security concerns and the desire for user efficiency is to automate provisioning actions based on the user’s lifecycle within an organization. This typically starts during the user’s first relationship with an organization as a job applicant or employee, and concludes with the user separating from the organization. In between these events are multiple changes and access requirements that must be managed closely.
The first step in the user lifecycle is onboarding. This is where a new employee, or a non-employee like a contractor or vendor, receives initial accounts and access to appropriate systems and applications. Once onboarded, a user may need new or different access when transferred. This occurs typically when an employee changes job roles, moves to a new department, or reports to a new manager. And finally, the last part of the user lifecycle is when an employee leaves the organization, either voluntarily or through termination. For the latter, accounts should be quickly and automatically disabled, preventing any opportunity for employees to retain access to data upon their departure from the organization.
Automating provisioning around the user lifecycle truly enables employees to be productive on day one rather than waiting around for access. It also decreases the reliance on IT resources and increases security by reducing risk associated with manual provisioning mistakes. At the very least, when provisioning automation is not practical or feasible, automated workflow and access policies for requesting, approving, tracking, and auditing should be deployed. This is where a role-based approach to developing these access policies often works best.
2) Adopt a Role-Based Approach
Another effective way to improve balance is by leveraging role-based access policies. Think of a role as a collection of access privileges typically defined around a job title or job function. Using roles, organizations have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs. Embracing a role-based approach simplifies identity governance and administration, and aids organizations particularly as they grow and change—whether through individual changes across the user lifecycle, seasonal additions to the workforce, or more institutional changes, like mergers and acquisitions.
3) Leverage a One-Stop Shop for User Access
Even with well-defined roles to make onboarding and institutional changes more effective, secure and efficient, additional access and ad-hoc changes are always ‘the norm.’ To also make this effective, a centralized portal to complete access requests and approvals should be deployed. Providing a one-stop shop for users to request additional access ensures employees go through proper channels, and reinforces that proper approval and fulfillment policies are followed. A centralized system makes it really easy for users to request access across various applications. And it also provides consistent and business friendly methods to request that access. Another advantage of a one-stop shop is the consistent audit trail of requests and approvals, providing organizations with an updated status of each access request.
4) Conduct Frequent Access Reviews
Frequent access reviews or certifications are another key area for improving the balance between security and efficiency. Within the climate of regulatory compliance and security, it’s imperative to review user access periodically. Access reviews must be simple and easy to manage so managers do not just rubber stamp their approvals. Rather than a manual process where organizations pass around spreadsheets among reviewers, a more intelligent, visual solution is a must-have to group like-access privileges together. This enables managers to understand which users have access to specific systems, and which users are outliers in their privileges. After all, an easier review process leads to greater accuracy, improved reporting, and greater adoption within the organization.
5) Take Advantage of Automated Micro-Certifications
Since the time between new provisioning and an organization’s next audit or review process can be fairly lengthy, it is important to have a set of controls that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. This can be done through the use of micro-certifications. This means that when an access event is triggered where an employee may have new or different access and entitlements than what is expected, or gains access through an outside process, commonly referred to as out of band, a manager or business application owner will be alerted and can perform an access review immediately associated with the risk event. This significantly reduces insider threats and also enables organizations to meet regulatory compliance, while allowing for business exceptions that might be necessary.
6) Enforce Strong Password Policies
Few employees today remember to change their passwords that were originally provided, so it is important to have frequent mandatory password resets. It is also important to maintain password policies that enforce complexity and non-reuse rules. However, the problem with these resets is that employees may forget their updated passwords, requiring additional IT resources to support a reset. That is why it’s important to have a strong self-service password solution that enables users to securely reset passwords on their own. Leading password reset solutions allow users to also unlock their accounts through self-service mechanisms. A variety of password reset options, such as a mobile reset application or telephone-based keypad resets, Windows Credential Provider and voice biometrics, help increase user adoption rates, while maintaining a secure reset channel. This frees up helpdesk time and allows IT teams to work on more strategic initiatives.
The Real Impact of Intelligent Identity Governance on Security and User Efficiency
When organizations effectively leverage an intelligent identity governance and administration program using these six strategies, they will ultimately gain greater balance between improving organizational security and enhancing individual productivity. From automating and centralizing access approvals to meeting ever-increasing auditor demands, leading-edge IGA solutions from Core Security empower companies—even those restricted by limited resources—to become more secure and more efficient, and to gain confidence that the right people have the right access levels to the right systems at the right time.