I started my career in the traditional IT Services space focusing on Small to Medium businesses; so I didn’t understand the excitement around Identity and Access management (IAM) either!
- Identity – An individual or entity (eg. person, computer, or an application)
- Access – The level of privilege an identity is granted in a system
At first glance IAM just seems like a nice way to tidy up and automate: you move all your identities and access rules to one place. All of that time IT spends creating yet another user in the CRM or changing a user’s access level in SAP is no longer required; it’s automated according to the rules you specify; ensuring accounts are created in a timely fashion. It’s a load off IT’s back: when HR creates, updates or removes a user, those changes flow through to all of the other systems automatically. Helpful, but not a hot topic of discussion in the boardroom.
Boards are more interested in ensuring regulatory compliance and reducing the chance of data leaks these risks have made IAM what it is today…
Consider the downsides to manually deactivating employee accounts when they leave; if IT forgets or delays disabling an account (its usually not a priority), the implications for security are enormous. Centrally managing identities allows the automatic deprovisioning of accounts; and automatic removal of privileges.
Orphaned accounts are another major issue: IT often creates accounts for testing and temporary use and they are often forgotten; not to mention stealth accounts created by hackers trying to get in! IAM handles this via reconciliation, ensuring that only the accounts and access that should exist do.
A well setup IAM system will ensure that employee roles are distributed in a way that prevent fraud and errors; this segregation of duties is key to reducing risk.
It’s very easy for managers to forget to remove or reduce access when employee changes are made; regular attestation can be setup to ensure that people have only the access they require.
In many industries compliance regulations and audits require organisations to know who approved access and in the case of high privilege accounts, record what the employee did; IAM solutions enable this type of compliance and
Remembering that October Is Cyber Security Month, data theft and associated risks are ever more becoming an important topic of conversation and Identity and Access governance needs in today’s complex and IT-centric organisations can no longer be postponed until ‘next year’.