When people think about securing their network, the term “identity and access governance” (IAG) might not come to mind. Most likely this is because they do not truly know what IAG is or how IAG solutions can be utilized. They might also believe that IAG is a high tech, expensive solution that will make them bust their budget and take years to implement. In actuality, there are many different types of solutions that make up IAG. Organizations are able to pick and choose which solutions work best for them, and solve their security issues, as well as many other problems they may be having.
So what exactly is IAG? Gartner defines IAG as “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IGA addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise. Enterprises that develop mature IGA capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives.”
So what does this all mean for an organization? Identity and access governance solutions can help beef up security efforts in many different areas of the organization. The following is a list of five exact ways that companies can use IAG solutions to secure their networks.
Simple Single Sign-On
One of the easiest ways to pump up the security at any organization is to use a password solution. A recent survey found that a majority of employees from different backgrounds and various industries have upwards of seven sets of credentials that they need to remember. In addition, these passwords need to be changed every month or so and need to meet certain password requirements, such as having a certain number of characters, use of a symbol, etc. Is it any wonder users write down their credentials? Simply put, the typical individual cannot remember that many advanced sets of usernames and passwords.
One of the easiest solutions to this is a single sign-on (SSO) solution. This allows employees to use a single set of credentials to access all of their connected systems and applications. Almost everyone has heard of SSO, but some organizations are hesitant to implement the solutions or believe they won’t be useful. They feel that giving their employees a single password may increase security issues. In actuality, having one single set of credentials that a user does not need to write down to remember is a lot easier and safer than not. Doing so means employees are far less likely to write down credentials, and they will likely be thankful in the long run for all the headaches and time you saved them.
Advanced Password Security
While SSO adds a layer of security, there is an additional step that can be taken to further increase password security. Two-factor authentication can take single sign-on and add an additional layer to it.
What is two-factor authentication? For organizations that are dealing with highly secure data, instead of requiring end users to enter just a username and password, they are required to log in by presenting a smart card to a reader and entering a PIN code. Combining a smart card and a PIN code ensures strong authentication because it is based on something users have (the smart card) and something they know (the PIN code). This is extremely useful for settings such as hospitals where users need to quickly log in and would benefit from SSO, but still need to ensure that there is a strong security.
Ensuring Roles are Correct
What about ensuring access rights are correct? Organizations need to make sure that only the appropriate people have access to secure data. This can be a daunting task especially for companies with a larger number of employees. Manually checking each employee’s rights is virtually impossible.
Through the day-to-day activity of employees joining or leaving the organization, it is easy to lose track of who has access to what. Accounts are provisioned, credentials are shared, employees are given special access for a project but access is never revoked. It is exceedingly easy to lose track of who has access to what systems and applications.
Organizations need to be able to ensure that each employee has the correct access in a quick and convenient way. One way this can be achieved is through role-based access control (RBAC). RBAC is a technique for implementing authorization management across the organization and involves assigning privileges on the basis of RBAC roles rather than assigning access privileges to individual users. These roles in turn comprise the department, title, location and cost center associated with an employee, ensuring that every employee has access to systems and data that are consistent and appropriate for their role in the organization. So, it can easily be set up so that, as an example, employees with managerial titles will receive certain access rights while assistants receive different access rights.
Revoking Access
One of the biggest security issues that organizations face is when an employee quits or is terminated, and they are inadvertently left active on the organization’s network. More times than not, this task is overlooked since someone has to go into each application and manually disable the user, which can be extremely time consuming.
This is a serious security risk since as ex- employees will still have access to the company’s data and network. There have been many cases where disgruntled employees either reap havoc on their ex-employer’s network or steal important customer data. This issue also commonly takes place when an organization hires either temporary or seasonal employees. With the constant movement of these types of employees it is easy to lose track of whose accounts are active.
With an IAG solution, a link can be made to synchronize the organization’s source system user accounts with network-based user accounts. In many cases, HR systems or CRM are often used as source system. This allows the organization to synchronize and automate their account management between all of their systems and applications.
So, when an employee leaves the organization a manager simply has to disable the employee in the source system and they are automatically disabled in all the connected systems and applications. Additionally, if a manager needs to access certain files in a home directory or desires emails to be forwarded, this work can also be easily transferred to the manager.
Reporting/Audits
Meeting audit and compliance rules and regulations can be extremely annoying. These rules are in place for a reason; they ensure that certain information and data is kept secure, including customer and company data. That being said, it is still a huge annoyance to meet many of these very detailed regulations. An easy way to handle this is to do continuous reporting so that when it comes to audit time all the work does not have to be completed at once.
Many IAG solutions allow for automatic reporting to be set up according to your specifications. For example, a manager can easily generate a report on who has access to a certain system or who is making changes in an application. A web portal can allow a manager to start a workflow process to correct any irregularities that are noted. This also helps when it comes to audit time of the year. Instead of spending days gathering the information for an audit, all of this work is already completed.
These are only some of the ways in which an IAG solution can assist with security at an organization. IAG as a concept has many different solutions that can be beneficial for ensuring that an organization’s network is secure and meets all compliance requirements. Of course, it helps with many other areas, such as productivity, compliance, budget, etc., making IAG solutions extremely beneficial for growing organizations.
By Dean Wiech is managing director, Tools4ever, a global provider of identity and access management solutions.
Bio: Tools4ever’s User Management Resource Administrator (UMRA) includes a complete Identity and Access Management environment. You will benefit from creating, updating and deleting user accounts rapidly and uniformly in a wide range of applications and systems. If desired, this may be delegated to the helpdesk, end users and managers.
About Tools4ever
Tools4ever is the undisputed identity and access management market leader, with more than one million user accounts managed on a daily basis. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control (RBAC), password management, single sign on (SSO) and access management. For more information, visit www.tools4ever.com.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.