For this week’s Discussion, consider that you want senior management to support a new Access Management program at your organization. While this may involve technology-based solutions, your budget may be limited and it is therefore essential that senior management provide support and encourage efficient use of the resources that the organization already has.
- Why is access management critical to today’s enterprise?
- What benefits does an enterprise gain from proper access management?
Dima Dabbas says
Access management is critical to today’s enterprise and it is being used in various technologies in the IT world from single sign-on, multi-factor authentication, password and profile management. Access management helps authenticate users to confirm their identify in order for them to be able to access the appropriate applications and resources. Access management should be based on the least privilege principal in which users are assigned the appropriate privileges that enable them to perform their daily job. An access management system enables users to access the different systems within an organization under a single account. This enables users to not have to keep track of multiple passwords and request permissions to have their passwords updated in case they forget their password. Access management reduces the time, resources and cost needed for support and it provides more convenience to all the users within an organization.
Access management can help protect against security breaches and it can help system administrators be able to automate many of the user related processes. Access management can help organizations audit, track and monitor all the user related activities in a more convenient matter. This can range from the ability to have automated tasks for onboarding employees, access control to systems and application based on roles, and terminating employees. The different elements and factors in access management enable an organization to focus on protecting the organization and creating strong information systems that support the mission and goals of the organization.
Jonathan Duani says
Dima,
You made some really great point in regards to the need for access management. I think the biggest pro within access management and SSO like you talked about is not having to remember multiple different passwords but only remember one complex one. This solution even though ti is helpful can also be a pretty large problem. If an attacker would go ahead and gain access to someones password then it would be like getting the keys to the kingdom and allow someone to gain access to everything. This is why a lot of companies have an elevated accounts to make changes. This is a great security feature to make so that a company doesn’t need to be vulnerable.
Brock Donnelly says
Discussing new solutions in a restricted budged environment can be a sensitive matter and needs to be performed strategically. If a large organization is looking to change or upgrade their access management program then there is a high chance that their current system has a problem, compliance issue or vulnerability. It is important to do so carefully or you may not stress the importance of your goal.
The first step is to acknowledge the situation to your executives. Very briefly describe the issue. Next you must align with senior management in a way that demonstrates you understand their problems at their level. This alignment shouldn’t be extensive. Finally, assure your executives that you have the best solution possible at an expense that is marketably reasonable.
“, We would like a moment of your time to express concern over a major function at our organization. Access management. Access management grants our employees access to our assets at their appropriate levels of authority. When access management fails a user or a malicious party can gain privileges to our files or systems. Keeping conscious of our current budgetary restraints, we would like to present a solution that has fully utilized our current compatible systems within the organization at a reasonable expense.”
Now that you have presented your purpose and diffused tension in the room you can now fully present your chosen solution. A solution of this type should demonstrate the CIA triad, type of access controls, authorization and accountability and identity management at a high level. To further express the importance of your new access management program, explain how an expenditure now can avoid future monetary loss through access management failure. Describe how zero change could expose risk to the organization. Relate the risk to real world values such as embarrassment, stock disruption, exposed secrets or customer loss. End by demonstrating your plan for minimal disruption when implementing your new strategy.
Jonathan Duani says
I think access management is so critical in today’s enterprise because they not only protect the systems that are in the organization but also the data. It is important to implement. When you have a system like SSO (Single Sign-On) it will also not only make the system more secure but also make it much simpler to move across systems in the organization. If a company would implement proper access management it not only would increase the security across the organization because the employees would only need to remember one complex password. Since there are many different systems in an organization if you implement proper access management on each and every one when you would implement something like SSO and have proper access control across all the different systems it would greatly reduce the cost of security up keep and validation because they will all inherit the same properties
Brock Donnelly says
I used the wrong brackets:
… an expense that is marketably reasonable.
“(Appropriate group salutations), We would like a moment of your time to express concern over a major function at our organization. Access management…
Ahmed A. Alkaysi says
Access management is a fundamental aspect of an organization’s security. Only those that require access to perform their job functions should be granted access to any objects and systems. An organization might think that the biggest risk to the enterprise is outsider threat. However, that is further from the truth. Internal users can be just as, if not more, dangerous to an organization than the outsiders. Another reason access management is critical to the enterprise is the risks that are associated with improper access. For example, data loss is not the only risk to an organization that isn’t implementing proper access management. If access isn’t properly managed, business itself is at risk as those that require access might not have the privileges needed to perform their job duties.
There are many benefits an enterprise can gain from implementing proper access management. One of the greatest benefits is the confidence that access is restricted to only those that require it. This only will mitigate many of the risks associated with improper access management. These risks include data and business loss, reputational harm, regulatory impacts, etc.. Part of implementing proper access management include documenting policies around IAM, provisioning access, and on/off boarding employees. Having these all documented will allow for smooth operation of business functions. For example, when a new employee joins a team, it should be easy for the new employee to be granted access for the roles required to perform the job. If the process and roles weren’t documented, it might delay the employee to get the access necessary to perform the job.
Oby Okereke says
Businesses today are experiencing digital innovations in almost every facet of their business processes and procedures. The old ways of doing things is no longer satisfactory hence the need to keep evolving to meet today’s business needs and objectives.
Access management is one of the essential key areas that has undergone enormous transformations and no wonder it is now being paired up with identity thus IAM – Identity & Access Management. They are often muddled together and quite inseparable and involves the application of the least privilege principle, multi-factor authentication, access reviews etc. Security and regulatory compliance continue to be a huge driving force and enabler with regard to implementing access management in an enterprise.
Access management is a key security control that must be gotten right for an enterprise to protect its crown jewels – Data. Access management ensures that each entity (object/subject) is assigned an identity and is authorized perform a certain function on an object/subject.
An important question addressed by access management is thus “Does every entity have access to the resources/assets that they require to carry out their job functions?” Another critical question to ask is thus “Is access properly managed via a life-cycle mechanism? This question ensures that access is revoked when no longer required by an object/subject.
• Some of the notable benefits of access management includes, protection of enterprise critical data by ensuring that only authorized objects have access to data, standardized process of managing user access grants and revocation as well as preventing data breaches by ensuring comprehensive and balanced protection on data storage.
Ahmed A. Alkaysi says
Hi Oby, as you stated, seeing whether or not access has life-cycle management is extremely important. I have seen many instances, working for mature organizations, where the life-cycle hasn’t been managed properly. In some of our access management audits, I have seen users who have been either terminated or switched roles still having access. There needs to be, at a minimum, a semi-annual certification process in place to make sure those that slipped through the cracks still get their access verified.
Steve Pote says
New Access Management programs are needed everywhere. If there is a new program, it is still transforming. There are a lot of new rules.
About a third of the PC toting workforce is consultant or temp of some sort. Employment durations are under five years on average and approaching four. (U.S. Bureau of Labor Statistics). Buying new devices and the infrastructure to support them (specifically here the IAM) doesn’t really have the value that a warehouse did when everyone punched in.
Not to say traditional wired, ~nearly~ physical access and authentication via Windows Domain, LDAP, etc doesn’t remain, but the need to authenticate transient users and their multiple devices suggests that even with a limited budget wireless authentication and access control including external guests is already a necessity, if not the best investment moving forward.
While the influx of devices adds depth in the makes and models that must be supported to some extent, the variety better facilitates multi-factor authentication which in turn allows better control from any location and access built on data consumption needs rather than ~everyone inside the castle is OK~ access.
The penalty for leveraging BYOD is the ~support to some extent~…Best practice would be to offer/implement remote lock and selective wipe functionality, encrypted storage, VPN for devices in contact with private information. Segregating guest users, contractors and staff is more critical and less physical than ever. Each variety of IoT “thing” should be on its own VLAN. Security cameras and printers and HVAC control each becomes a point of access or elevation of rights if not secured against the user in their “driver’s seat”
Duy Nguyen says
Identity and access management is the process of defining and managing the roles and access of an individual user and the circumstance of which users are granted or denied privileges. The main goal is to grant access to the right individual in the context. Management of these processes is a critical branch in the whole aspect of system security.
Proper access policies safeguard information and information systems by managing who and how critical information is accessed. A proper Identity and access management processes can enhance the organization’s productivity and add an additional layer to information security efforts. Access management policy also becomes critical in the event of an incident such as compromised credentials or intrusion. Proper management of credentials guards against compromised credentials and unauthorized access to the enterprise systems. Implementing identity and access management also allows a company to extend access to information and information systems to not just internal users, but also manage external access such as vendors, customers, partners, and contractors.
Ahmed A. Alkaysi says
It’s great that you brought up access management for external users as well. I think this piece is extremely important, but often overlooked. For external users, they would be assigned different roles with different privileges. They should also be granted access to a segregated portion of the network. You don’t want them to get access to all of the intranet, as it they are at higher risk of getting their access compromised and might get used to launch attacks from within.
Elizabeth V Calise says
Duy,
I agree with Ahmed. You make a good point about external access which I do not see anyone else mention. Today, I think it is impossible for organization’s to not provide access to an external party (vendor, customer, contractor, etc.). It is 100% that a company needs a proper Identity and Access Management especially when it comes to external access. There have been to many occurrences where a company is getting hacked from external source access. As Ahmed mentioned, this is why the assigned privileges and segregated network is a must.
Scott Radaszkiewicz says
When discussing the need for Access Management with senior management, I think it’s crucial to first explain to them what it is, and what it does. To keep it simple I would explain Access Management is a business process, or processes, that allow for the creation, maintenance and use of a digital identity within the organization. What does it do? Access Management is about giving the correct user the correct access to the correct resources for the correct reason, and keeping a record of who has access to what. Now, incorporated into these processes would be a layered security defense that would have a multitude of components. One of these things might include multi factor authentication, a vital layer in access management.
I think senior management would need to understand that the greatest security risk in any organization is the employee. Whether that treats comes from willing, or unwilling compliance. Let’s go back to one of the very first data breaches, the Target data breach. User credentials were stolen from a 3rd party vendor, and used to access Target resources. Had some type of Access Management plan been in place, then this hack could have been prevented. Likewise, if an employee is intend on malicious activity, a solid Access Management plan can help thwart or limit a person from gaining improper access. Having adopted a plan with items like the principle of least privilege, a user could be limited in the amount of harm that could be accomplished.
It’s not just a matter of if an attack will happen, but when will it happen. In today’s digital world, every organization needs a solid and multi layered security plan to help keep the confidentiality, integrity and availability of their technology secure.
Sheena L. Thomas says
I would definitely talk to senior mgmt about the risk of not having an access mgmt solutions. I would also provide a numeric number on what the company save from implement a access mgmt solutions.
Jonathan Duani says
Senior management have a lot of control about implement access controls across a network and i do agree that a lot of different attacks could have been prevent by proper access controls in an organization. With how things are changing in the cyber security landscape i think that especially now access control are only the first step in securing an environment. Yes, it will help mitigate a lot of the problems but there are many other solution that are out that that should be implemented in conjunction to this so that it will work even better.
Sheena L. Thomas says
Access Mgmt solution provides a centralized approach to help companies to properly Identify and authenticate their end users before they access the company’s resources. To enforce the concept of “least privilege” and “need to know” an access mgmt solution will enforce a user to only access resources and/or data pertaining to their job. BizTech Staff provides a simplistic review of why an Access Mgmt solution is critical to enterprises. “Identity and access management is the information security discipline that allows users access to appropriate technology resources, at the right time. It incorporates three major concepts: identification, authentication and authorization. Together, these three processes combine to ensure that specified users have the access they need to do their jobs, while unauthorized users are kept away from sensitive resources and information.
When a user attempts to access a system or data, he or she first makes a claim of identity, typically by entering a username into the system. The system must then verify this claim of identity through an authentication process. Authentication may use basic knowledge-based techniques, such as passwords, or rely upon advanced technologies, such as biometric and tokenbased authentication. Once a user successfully completes the authentication process, the IAM system must then verify the user’s authorization to perform the requested activity. The fact that a user proves his or her identity is not sufficient to gain access — the system must also ensure that users perform actions only within their scope of authority.
Without a centralized approach to IAM, IT professionals must manage authentication and authorization across a large number of increasingly heterogeneous technology environments. These environments support many different business functions, some customer-facing and some meeting internal requirements. To work effectively in such an environment, the security professionals managing IAM solutions must understand not only business operations but also the ways that access to IT systems enables those operations.” By using a Access Mgmt solution you will improve the provisioning and de-provisioning process, improve the user experience, improve data security, improve auditing, reduce IT cost, and provide a more effective/efficient way to access resources.
https://biztechmagazine.com/article/2016/09/3-reasons-deploy-identity-and-access-management-solution
Dima Dabbas says
Sheena,
You provided a great summary on the importance of IAM and how it works. IAM is critical in today’s world as we advance more in the use of technology in our daily lives. IAM will help provide a layer of protection to identify, authenticate and authorize the appropriate resources to have access to the data and systems. We also need to keep in mind that this layer of protection does not interfere with the user experience and make their lives more difficult. There needs to be a balance between data security and user experience. Using an IAM that is designed to meet the organization’s needs will help reduce the support that can arise from IT as well as provide more security.
Elizabeth V Calise says
Why is access management critical to today’s enterprise?
Access Management is critical because it limits access. The more the organization can limit, the more its data is protected. This then reduces the likelihood of the data getting out.. This also reduces the risk of other people (i.e. customer). When you look at it from the healthcare industry perspective, access management reduces the risk of PII data and other health related data being released. Access management is not only critical to the organization, but for the customers as well.
What benefits does an enterprise gain from proper access management?
One benefit the enterprise gains from proper access management is strong reputation. When I say reputation, I mean an organization having proper access management helps staying out of legal issue /avoid lawsuits. It helps avoid paying fines, jail time or banned from doing certain work. For example, if a company is working on a classified project for the government and there is a data leak due to a weak or no access management, it is very possible for the government to put a halt to project. Or even worse, say they will no longer endorse contracts (any existing and future).
Another benefit of having a proper access management is avoiding high monetary expenses. All the above I mentioned could cost an organization thousands or possibly millions of dollars.
Scott Radaszkiewicz says
Elizabeth, interesting thought on a benefit of gaining a good reputation from maintaining a strong access management system. It seems like today everyone is getting hacked, and I wonder at what point the mass public will just become desensitized to it. It’s almost like it’s a part of doing business anymore and you don’t question if it will happen, but when it will happen. But I think you’re right, an organization that makes an effort to mitigate the risk will reap a better reputation from it. And reputation is everything!
Elizabeth V Calise says
Scott, this is always crosses my mind as well. I have lost count when of how many people I have come across and said they have had their information stolen due to X, Y and Z. When they made the comment, it was like it did not even phase them anymore. I have not come across yet that my information has been stolen (fingers crossed – probably has though), but I imagine that if it was, I would go through such a stressful process whether it be bank accounts, credit cards, social security, etc. and the last thing I want to do is go through that process multiple times.
Being hacked is like the norm now and expected.
Jonathan Duani says
Elizabeth,
The government look at this is really interesting to think about. There are multiple different reason why access controls are important like you said but your example could be the difference between a company staying afloat and going under. Especially government controls where some companies that is 70%+ if their business. I think that no matter what kind of company you have a proper access control model is important.
Dima Dabbas says
Elizabeth,
I did not think of reputation when writing the benefits of IAM but it definitely is one. IAM will reduce the possibilities that improper access is given which can help the organization in maintaining its reputation. If improper access is given, malicious users may have access to critical data that can lead to exposing the organization and therefore destroying its reputation. As you mentioned, IAM can reduce the monetary expenses that can emerge from improper access management.
Frederic D Rohrer says
For this week’s Discussion, consider that you want senior management to support a new Access Management program at your organization. While this may involve technology-based solutions, your budget may be limited and it is therefore essential that senior management provide support and encourage efficient use of the resources that the organization already has.
Why is access management critical to today’s enterprise?
Access management is critical in protecting assets and systems. Access management should encompass the following items in the most simple terms:
– Identify users
– Assign and update rights of users
– Record all interactions
Any organization should implement a comprehensive access management in order to protect themselves from outside and inside attacks. AM systems will also increase efficiency of systems by consolidating many processes into one. User provisioning, login and off-boarding can all be handled from one system.
Privileges are created and granted according to policy and everything is authorized, audited and authenticated. The risk of internal data breaches is reduces and there is greater control of user access across the whole organization. IAM can be automated and regulatory compliance can be built in from the start.
What benefits does an enterprise gain from proper access management?
One major challenge in budgeting for IAM is that there is no immediate financial benefit from such a system. However often workflows will be greatly expedited by IAM enabled mechanisms such as Single Sign On. One significant impact that is often overlooked comes into play during development. Often a good IAM solution can provide all authentication code, decreasing the need for duplicate authentication code.
Dima Dabbas says
Frederic,
You brought up an interesting point about IAM in that it will help record all interactions. Auditing and keeping track of changes to roles and permissions is important as it can help identify the causes of issues when they occur. IAM not only provides a layer of protection by ensuring that the right people have the right access but it also can help reduce the resources and the manual labor that is sometimes performed for these processes. IAM will help organizations automate many processes that will make adding, removing users and roles a much more efficient process.
Jonathan Reid Kerr says
Why is access management critical to today’s enterprise?
Making sure that the right people have the correct level of access has always been important. However, with the rise of new technologies and innovations there are new challenges when it comes to access management. Being able to identify users of systems, their level in the organization, and the appropriate level of access reduces the risk of unauthorized system usage and the harm that it can cause.
What benefits does an enterprise gain from proper access management?
The most notable benefit is reducing the risk that unauthorized individuals will be able to access critical systems and applications. Other benefits may include increased efficiency when it comes to updating a user’s role or stripping one’s access away. If not properly managed, such actions could take longer than necessary and increase risk.
Rommel R. Miro says
Budget for IT or any department will always be limited and any initiative that takes resources will need approval. Highlighting the benefits of the initiative is one way to make the approval process easier. For example, it can be brought up that an Access Management program will provide a more secure environment for the organization while also reducing expenses and cost. This is made possible by the consolidating nature of a Single Sign-On initiative that can decrease the needed hours and man power needed to maintain multiple systems that would otherwise be independent or free standing on their own without SSO. On the other end of the stage, the end-users would be able to improve their efficiencies by having to only sign-in to a single portal versus multiple sign-ins throughout the day. There will also be less passwords to remember and maintain. For a while, one of the consistent requests that we get in HelpDesk are for password resets. Access Management is critical to today’s Enterprise environment from both security and efficiency perspective. Without an efficient Access Management, passwords would have to be managed manually, complexities may not be standardized across all applications – all of which will require more time from security professionals. On the other hand, efficiencies are gained and a better security posture is obtained when a proper Access Management system is in place in an organization.
Jonathan Duani says
Mel,
I like how you spoke about the different benefits that implementing access controls would help. If you present management who is ultimately in control of the implementation of the controls a cost benefit to implementing them. It should be a no brainier to the company to complete that. The biggest thing when it comes to management lately I have found is money and their bottom line. If you are suggest a significant return on investment with the implementation of these controls it would not only make the manager look good but the whole department.