The report card for businesses’ ability to prevent security breaches and control access to applications and IT services is less than stellar. Even in the continuing environment of potential cyberattacks and data leaks, businesses are still creating opportunities for compliance violations, for employees to have access to applications out of their work purview, and for employees who have left an organization to still have access to proprietary company files.
Lack of effective identity management and access controls really begins at day one, when a new employee onboards at an organization. A recent study of more than 400 IT professionals found 85% of employees do not have all the resources they need on their first day on the job. In fact, 38% of IT professionals report it takes between two and four days to get a new employee everything they need to do their job, while 27% say accomplishing this goal can take more than a week. This encourages violations as fellow employees or managers may be tempted to share access and passwords in order to get the employee up and running. It also causes employee dissatisfaction, leading the person to wonder if the company is tech-savvy enough for their expectations.
Similar access governance and compliance issues occur during the entire employee’s identity lifecycle, as employees move to different positions in the organization, and after they have left. Only about half of the survey respondents were confident that access rights were accurately removed or revised as an employee changed roles. Offboarding employees was also a concern: nearly half of IT respondents said they were only somewhat confident a former employee no longer could access critical data or systems.
On the same subject of offboarding, a comprehensive study on identity and access governance by Enterprise Management Associates (EMA) confirmed the benefits of being diligent in removing access after an employee leaves. The study reported that, while only about 43% of organizations were reported to periodically review the time it takes to disable the accounts of terminated employees, businesses that did regularly perform this task were indicated to have the highest success rate for discovering policy violations.
There clearly is room for improvement in access governance. The EMA study found that, on average, one out of every five business users violates identity and access polices each year, and 85% of businesses are affected by a policy breach annually. Organizations can help reduce these policy breaches and improve data security by instituting identity and access governance practices, incorporating policy-based access controls and integrating automation for faster detection and response.
Identity Management Practices
An automated, secure identity management system can help prevent unauthorized access throughout the employee’s identity lifecycle as well as make onboarding more efficient, thereby limiting new employees borrowing passwords in order to start their job functions. Here are aspects of a modern enterprise wide identity and access governance system:
- Integrating Automation.
The identity study found 54% of respondents say their organization manually makes changes in access rights as employees change roles, while 37% use a combination of some automation and manual processes, and only 9% leverage full automation. For organizations to successfully transition from manual-driven processes takes clearly defined, documented processes so standards are created for how HR onboards using an automated solution, how managers request access changes, and how employees request access control. All these functions and more must be defined since guesswork is not a function that works with automation. An automated identity management solution, however, once these standards are in place, will enable far more efficient onboarding and more powerful control over making sure individuals have only the applications they need to be productive.
- Self-Serve Efficiency.
With better access controls, and automation as the foundation, line-of-business managers can also activate resources for their team. Individual employees can self-serve from an available menu – greatly enhancing workflow efficiency and providing a more satisfying, productive environment for employees.
- Cross-Team Cooperation.
IT and security teams are starting to work more closely to integrate identity governance and administration with privileged access management systems. Those with higher access clearance are a cyber target since they are connected to the most valuable assets. Mindful of compliance regulations, organizations need to work toward tighter integration, further ensuring control over privileged and non-privileged accounts, and quickly revising access as people’s roles change.
- Automated De-Provisioning.
Tighter integration between IT and security will enable the quick revocation of privileges and access to assets when an employee leaves or is terminated. With automation, IT can return services and revoke access immediately once an employee is offboarded. Using a real-time dashboard as part of an identity management solution, IT and security can immediately see who has left the organization, as further protection against risk.
- Conducting Regular Audits.
EMA notes, “There is a direct correlation between the frequency of identity and access governance audits and an organization’s ability to detect policy violations. Monthly audits provide the optimal frequency for effectively identifying policy violations that incur excess efforts and costs.” While the correlation between monthly audits and policy violation detection is established, the EMA study found only 27% of survey respondents indicated they conducted governance audits at least once per month, indicating that the remaining 73% of businesses are failing to identify the vast majority of policy violations. The key to improving this audit frequency is automation. As the EMA study found, businesses who had implemented automated processes were conducting audits far more frequently.
Establishing Identity Security: Looking at the results of these two studies, it is clear organizations can do more to make their environment more productive for employees, their proprietary data and systems more secure, and their IT and security processes more efficient. Bringing automation into the fold, from an employee’s first day and throughout the identity lifecycle is a good place to start. Then, by adding automation to ongoing access controls and greatly improving audit frequency, organizations will have a more powerful foundation from which to prevent new cyber threats.
Have you read?
# Global Passport Ranking, 2020
# World’s Best Cities For Millennials In 2020
# Richest Actors In Hollywood For 2020
# Richest CEOs In The World For 2020
# Countries with the largest household size
# Best countries in the world for a child to be born in, 2020