I recently talked with a CISO (Joe) for a financial organization about his Identity and Access Management Program. Joe recently invested heavily into a new provisioning implementation, and was starting to doubt the implementation was going to resolve his access control concerns.
Like many others in his position, Joe hired a consultant when he was told that his access controls were not sufficient. The consultant pulled a page out of the IAM 101 playbook and said “Install a Provisioning System”. The advice seemed to make sense. After all, his access controls needed help and what better way to get a handle on them than to take the human element out of the access provisioning process.
The issue that Joe faces is a common one out there. In fact, most of the fortune 500 clients I have talked to in the last year are investing heavily in the Identity and Access Management section of their security program. The reason most of them are investing is to solve access control issues. The problem though is that they often are investing in a solution without understanding their problem.
In fact, the dirty little secret out there is that provisioning access is typically not the issue these companies are facing. Most of these companies are facing management memo because the average user has too much access. This access is often accumulated over time, as the employee moves from job to job, and when a manager or resource owner review access, they rubberstamp their approval, or let it go because they do not understand what the access allows. After all, it is an IT Security problem right?
Wrong! Access Management is a business issue. If a privacy breech occurs, imagine how the agent for the business would sell. “Yes Mr. Customer, I understand we lost your social security number, but we can do a much better job managing your life savings”. In appropriate access is a huge business issue. The trick to solving the access issue is not in fixing the provisioning process, but to get the business engaged enough to understand who has access to what, and to understand how important it is to remove that unnecessary access.
In most cases, a business needs to do a better job in reviewing access. There are several of products out there now to help them do this effectively. Most of these systems are fed access reports, in a plain text format from several systems. The access information is aggregated, and combined with business definitions (glossary) and then pushed to the appropriate person to review. These system offer great benefit over the traditional excel spreadsheet because they formalize the process, make it repeatable, something the process owner (typically the CISO or their staff) can count on. Better yet, the accountability is shifted back to where it belongs, the business. If someone has inappropriate access, the auditor can discuss the issue with the right person, the HR manager or the resource owner, rather than the information security staff.
Before you go out and buy that shinny new provisioning system to solve your access management problems, make sure you really understand what your problem is. If you are not trying to solve a throughput issue, or an accuracy issue, I would bet that there are other solutions out there that would better suit your situation.