printer friendly version

Identity and access governance

When people think about securing their network, the term identity and access governance (IAG) might not come to mind. Most likely this is because they do not truly know what IAG is or how IAG solutions can be used. They might also believe that IAG is a high-tech, expensive solution that will make them bust their budget and take years to implement. In actuality, there are many different types of solutions that make up IAG. Organisations are able to pick and choose which solutions work best for them, and solve their security issues, as well as many other problems they may be having.

Dean Wiech

So what exactly is IAG? Gartner defines IAG as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAG addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise. Enterprises that develop mature IAG capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives.”

So what does this all mean for an organisation? Identity and access governance solutions can help beef up security efforts in many different areas of the organisation. The following is a list of five ways that companies can use IAG solutions to secure their networks.

Simple single sign-on

One of the easiest ways to pump up the security in any organisation is to use a password solution. A recent survey found that a majority of employees from different backgrounds and various industries have upwards of seven sets of credentials that they need to remember. In addition, these passwords need to be changed every month or so and need to meet certain password requirements, such as having a certain number of characters, use of a symbol, etc. Is it any wonder users write down their credentials? Simply put, the typical individual cannot remember that many advanced sets of usernames and passwords.

One of the easiest solutions to this is a single sign-on (SSO) solution. This allows employees to use a single set of credentials to access all of their connected systems and applications. Almost everyone has heard of SSO, but some organisations are hesitant to implement the solutions or believe they won’t be useful. They feel that giving their employees a single password may increase security issues.

In actuality, having one single set of credentials that a user does not need to write down to remember is a lot easier and safer than not. Doing so means employees are far less likely to write down credentials, and they will likely be thankful in the long run for all the headaches and time you saved them.

Advanced password security

While SSO adds a layer of security, there is an additional step that can be taken to further increase password security. Two-factor authentication can take single sign-on and add an additional layer to it.

What is two-factor authentication?

For organisations that are dealing with highly secure data, instead of requiring end users to enter just a username and password, they are required to log in by presenting a smartcard to a reader and entering a PIN code. Combining a smartcard and a PIN code ensures strong authentication because it is based on something users have (the smartcard) and something they know (the PIN code). This is extremely useful for settings such as hospitals where users need to quickly log in and would benefit from SSO, but still need to ensure that there is a strong security.

Ensuring roles are correct

What about ensuring access rights are correct? Organisations need to make sure that only the appropriate people have access to secure data. This can be a daunting task especially for companies with a larger number of employees. Manually checking each employee’s rights is virtually impossible.

Through the day-to-day activity of employees joining or leaving the organisation, it is easy to lose track of who has access to what. Accounts are provisioned, credentials are shared, employees are given special access for a project but access is never revoked. It is exceedingly easy to lose track of who has access to what systems and applications.

Organisations need to be able to ensure that each employee has the correct access in a quick and convenient way. One way this can be achieved is through role-based access control (RBAC). RBAC is a technique for implementing authorisation management across the organisation and involves assigning privileges on the basis of RBAC roles rather than assigning access privileges to individual users. These roles in turn comprise the department, title, location and cost centre associated with an employee, ensuring that every employee has access to systems and data that are consistent and appropriate for their role in the organisation. So, it can easily be set up so that, as an example, employees with managerial titles will receive certain access rights while assistants receive different access rights.

Revoking access

One of the biggest security issues that organisations face is when an employee quits or is terminated, and they are inadvertently left active on the organisation’s network. More times than not, this task is overlooked since someone has to go into each application and manually disable the user, which can be extremely time consuming.

This is a serious security risk since an ex-employees will still have access to the company’s data and network. There have been many cases where disgruntled employees either reap havoc on their ex-employer’s network or steal important customer data. This issue also commonly takes place when an organisation hires either temporary or seasonal employees. With the constant movement of these types of employees it is easy to lose track of whose accounts are active.

With an IAG solution, a link can be made to synchronise the organisation’s source system user accounts with network-based user accounts. In many cases, HR systems or CRM are often used as a source system. This allows the organisation to synchronise and automate its account management between all of its systems and applications.

So, when an employee leaves the organisation a manager simply has to disable the employee in the source system and they are automatically disabled in all the connected systems and applications. Additionally, if a manager needs to access certain files in a home directory or desires emails to be forwarded, this work can also be easily transferred to the manager.

Reporting/audits

Meeting audit and compliance rules and regulations can be extremely annoying. These rules are in place for a reason; they ensure that certain information and data is kept secure, including customer and company data. That being said, it is still a huge annoyance to meet many of these very detailed regulations. An easy way to handle this is to do continuous reporting so that when it comes to audit time all the work does not have to be completed at once.

Many IAG solutions allow for automatic reporting to be set up according to your specifications. For example, a manager can easily generate a report on who has access to a certain system or who is making changes in an application. A Web portal can allow a manager to start a workflow process to correct any irregularities that are noted. This also helps when it comes to audit time of the year. Instead of spending days gathering the information for an audit, all of this work is already completed.

These are only some of the ways in which an IAG solution can assist with security in an organisation. IAG as a concept has many different solutions that can be beneficial for ensuring that an organisation’s network is secure and meets all compliance requirements. Of course, it helps with many other areas, such as productivity, compliance, budget, etc., making IAG solutions extremely beneficial for growing organisations.

Share this article:

Further reading: