Imagine a scenario where you have no idea what level of access your network users have on any given server or application. Or perhaps you are managing a complex environment where employees come and go quite often and you have no real idea which accounts are current and which ones are no longer needed. In reality, many businesses both large and small haven’t the slightest idea who has access to what — much less which user accounts are legitimate and which ones need to be removed. It is one of the most predictable IT security risks.
In my seminars and presentations, I am often asked what single tool can provide the greatest bang for the buck and tangible returns on IT investment. I always recommend the numerous identity and access management (IAM) technologies available that can help you gain the necessary control of user accounts.
As an IT or security administrator or manager, you not only have to manage good old-fashioned users, but also their passwords, group memberships and privileges to ensure they have access to the necessary systems to get their work done and nothing more.
These controls are especially important when it comes to the onslaught of industry and government compliance regulations such as PCI-DSS, HIPAA and the more recent HITECH Act. In my expert witness work, I am starting to see more legal cases involving mismanaged users that end up in lawsuits.
IAM is a necessary technology/control for all but the smallest of organizations today. So, if you have more than a few dozen users to manage across just a handful of systems and applications, you are at a crossroads: You can choose to stick with the complex nature of user management and hope something does not go awry; or, you can do something about it by investing in the proper tools to keep users and privileges in check the way they need to be given today’s information system complexities.
Hope is not a strategy — so there is no time better than now to fix this problem once and for all.
By focusing your efforts on identity and access management, you can:
• Streamline and automated business processes to reduce complexity and lower your overall IT and security costs;
• Match identities with roles and permissions to give the people the proper permissions to do their jobs; and
• Enable users to help themselves with account management which can free up highly-paid staff so they can focus their efforts on more strategic areas of IT.
Overall, your IT complexity will be minimized to the greatest extent possible when it comes to user management and, as a result, your information risks will be reduced.
There are numerous vendors that provide identity and access management solutions such as Hitachi ID Systems, Microsoft, NetIQ and Quest Software. Each vendor has its own slight twist in its approach to taking the pain out of the process; however, in essence, they all streamline user provisioning/de-provisioning (adds/removes), facilitate separation of duties, improve audit trails and increase visibility into the network environment.
This centralized insight and control is essential for managing complex networks and can also come in handy during security audits, compliance-related concerns and incident response investigations after security breaches occur.
We have undoubtedly gotten to a point in business where information system complexity has a direct impact on productivity, visibility and security. Success in IT depends on the ability to come up with creative solutions for not only keeping the shop running, but making things better over time. Many vendor solutions that promise enhanced IT processes and better security often fall short, but identity and access management systems can have a tremendous impact in both areas.
Take the time to step back and look at how you are currently managing user accounts and privileges. You will likely find some serious room for improvement. It is just a matter of finding the time and budget to make it happen.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around minimizing information risks. He has authored/co-authored 10 books on information security including the best-selling Hacking For Dummies currently in its 3rd edition. Kevin is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.