What would happen if access management disappeared overnight and we had to cope the next day without it? What impact would this have on an organization and its information systems? Let’s have a quick look at this scenario.
In its purest form, access management is about access. This could be both physical access (entry into premises or a specific area in a building) and logical access (access to systems, applications, printers, shares etc.). Access management is often named in combination with identity management, and these two concepts are closely interrelated.
Authentication
In identity management, the user proves that he is who he says he is. This is also called authentication. The most common means of authentication is to enter a username and password combination. Another type of authentication is the combination of “remembering something” with holding something physical, such as a user pass, mobile phone, token, fingerprint, etc. This is a strong type of authentication.
Authorization
Authorization plays a role alongside authentication. Authorization determines the content to which a user has access in the network. This content might be systems, applications, printers, shares, etc. Where authentication is still reasonably simple, authorization can often be a complicated business. Because depending on the user’s identity (function, role and location in an organization), the access rights – and thus also the content – should vary in the network. We call the relationship between the individual (the user) and the content, access management. This is because authentication determines the authorizations. Only this way can it be guaranteed that users don’t hold too many rights, and that they don’t get to information which is not intended to be visible to them.
Information security
It is directly apparent from this that a risk would arise if access management disappeared. This would mean that every user could access any content, which is highly undesirable from an information security aspect. For example, a hospital needs to be able to guarantee that patient details can only be accessed and changed by the relevant care providers. And in the financial world, having amounts known to all or letting everyone perform a transaction must be prevented. In the corporate market it’s not necessary for all users to be able to access everyone else’s HR details, and if this were allowed it would almost certainly breach data protection laws in many countries. If access management did not exist, none of the above could be guaranteed. Without access management there would also no longer be any control or oversight over just what access rights an employee holds, and whether these are actually appropriate for what was originally specified.
Physical access
As already mentioned, access management also covers physical access. If access management disappeared, there would also no longer be any control over physical access. For instance, everyone in an organization would have access to the server room, and all care providers would have access to all the areas in a hospital, even an operating theatre or the pharmacy. Naturally, this is an unreasonable situation.
Legislation and regulations
Access to the company network normally begins with entering a username and password, or scanning a user pass. If there were no longer any access management and it was no longer necessary to log-in with a personal network account, access to the company network could only be achieved with a generic account. That means one username and password used by all employees. To save valuable time this is how it sometimes worked in hospital outpatient departments in the recent past, but most hospitals want to move away from this system. Because with this method, exactly who performed what action in a patient file is not visible and cannot be discovered, contrary to a requirement laid down by legislation and regulations. But other sectors too must comply with legislation and regulations – think, for example, of Sarbanes-Oxley for the financial sector.
Licensing costs
If end-users had uncontrolled access to all resources, that would mean they also had access to all the applications used in an organization. This would put significant pressure on licensing costs. Licensing fees are made up of the relatively lower charges for bulk software, and the higher charges for software which is only used by a smaller group of employees in the organization, for example Microsoft Visio and Adobe. If all end-users in an organisation could use all applications without the approval of a (licensing) manager, the costs for unnecessary licences would quickly escalate. Just try doing a quick calculation for your organisation.
Commercial interests
There are commercial organizations that have a great deal of interest in authenticating users, for example publishers or a company like LinkedIn. These organizations may offer some of their content free of charge, but for a far larger part of their content the user must be able to authenticate themselves and pay. If there was no access management, there would no longer be any ability to draw a distinction between free and paid content.
These are a few examples of the issues which might arise in a world without access management. And, of course, any number of other scenarios could be devised. A world without access management would certainly be a world with a lot of concerns.[su_box title=”About Robert Doswell” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.