Identity security is often viewed from a technology perspective. However, the voices of business stakeholders, those who use identity and access management (IAM), also need to be heard.
To get this particular insight, the Identity Defined Security Alliance (IDSA) and Dimensional Research surveyed more than 300 HR professionals who oversee workers who join, move within, or leave the organization; the sales representatives, who represent the business teams and who are concerned about the productivity and sensitivity of the data consulted; and support teams that handle access requests and deletions, and resolve access issues. These employees are responsible for setting up, managing, and deleting identities from the system, and they have a unique perspective on stakeholders.
Challenges Stakeholders Face with IAM
Identity security starts with identities. Adding and removing identities on the corporate network doesn’t happen overnight, but it shouldn’t take a week or more either. However, nearly three-quarters of respondents said it takes a typical worker at least a week to access the required systems, while one in five sales managers said it can take a month or more to revoke access. Employees without access impact productivity; former employees who maintain access create risk.
Why does deleting identities from the system take so long? Over the course of a job, an employee can construct multiple and complex identities. Not all identities are connected to the local directory. Some are administrator-level backdoor accounts. Revoking a worker’s identity company-wide can be hit or miss if there aren’t robust management systems in place. There have been situations where former employees continue to gain access without anyone’s knowledge until the company has a data breach. For example, the cybercriminal group responsible for the Colonial Pipeline ransomware attack used the password of an active but unused VPN account.
The theft of data and proprietary information is also a major concern, especially during the offshoring process. More than half of sales managers said they had former employees who stole information when they left the company. Yet only 38% said an employee exhibiting suspicious behavior at work would be fired immediately. There needs to be a faster response to bad behavior by restricting access when there are red flags. Having an automated process will provide a faster response, but it will also allow the employee to show their innocence in the event of a dispute. More importantly, the culture around security needs to change, but the technology also needs to be in place.
From a cybersecurity perspective, employees who don’t have access reduce the risk. But from a business productivity perspective, not having employees up and running quickly hurts the business. This inability to integrate effectively is a lack of integration between products. Regardless of the software used, the key is to have an automated workflow from the moment the employee joins the company. In addition to properly preparing materials, other best practices include:
- Automated provisioning and deprovisioning in tandem with business processes. This reduces the number of manual access changes and provides all the benefits of IAM programs.
- Have an access governance committee (even if it’s a small group of executives across key stakeholders; probably HR, IT, security, and legal) or strong policies that allow for an expedited onboarding process.
Processes and room for improvement
It is difficult to accurately manage access without a clear line of accountability. Sometimes it’s HR, but other times it’s IT. When multiple departments are involved and own access to the system (and 78% said they have more than one department in this process), it can lead to decision-making conflicts, delays, or even over-provisioning of the system. ‘access.
One approach is to delegate an owner through an access governance committee. This committee provides a unified voice for identity management and is comprised of stakeholders responsible for creating identity and access policies, and enforcing that policy across the organization. With one voice, the committee would set access policies and define metrics to measure performance against identity-related goals. The data used should be a determining factor in determining who is considered an IAM stakeholder. For example, if the data access is financial, someone from the finance department should be the decision maker.
As more and more CISOs take ownership of IAM programs, it shows the importance of identity security. This should guide security teams’ efforts to work closely with business stakeholders to streamline account access in a way that maintains employee productivity and eliminates forgotten and inactive accounts. Identity-centric security enables business and technology players to protect the organization against identity-based cyberattacks.