Still chasing the User Access Express?

Post by Glenn Folkes, Regional Sales Director

In many organisations the term ‘identity’ no longer applies to just employees and contractors. Valid identities now also include partners, vendors, customers and IOT. Basically anyone or anything that can access your systems at any point in time.

This increase in the scale and method of access has created an ‘identity crisis’ for many companies. I’m going to paint a picture and in this scenario their current management systems are unable to report on who has access to critical systems when they need it. Which means critical access risks remain invisible and can be broader reaching.

The longer access risks are invisible, the greater the chances you are going to be breached.  

The reality is that many businesses rely on manual processes to understand and review user access. No surprise then that a simple statement like  ‘We just need to do a UAR for the Claims Processing System’  creates a lot of complexity.

Apart from a number of valid technical questions, there is always one doozy that follows. ‘How did we do this last time?’ It is no surprise that even today a substantial amount of security knowledge is just stored in people’s heads and is inevitably unavailable, away today or on leave when its needed.

If we don’t know how we did it last time, we’ll most certainly be doing it a different way this time.

Security models inevitably vary between systems, and in-house applications are rarely designed for external administration. The stream of dense, technical security data that follows, ensures that there will be several iterations of data extraction before we get the right set for this UAR. The problems compound as we attempt to correlate security data with actual people.

15 iterations of spreadsheets later, we are all set for the access review of the Claims Processing System. At this point the baseline data is unfortunately aged and Reviewers are making security decisions, based on an inaccurate information. This is what we call Compliance Theatre and its only tolerated because organisations routinely struggle to provide accurate user access information.

While organisations continue to rely on manual processes and out of date access data they will never have an accurate user access baseline. It follows that they should also be questioning the adequacy of their overarching security controls.

The reality is that many businesses lack the tools to identify and baseline user access, to understand their risks and to target their security controls.

Once you have a baseline user access control in place you can create the overarching policies or rules around how you want to assign, then monitor and track the usage of your applications.

This is key, as the whole point of gathering this information in the first place is to improve security and compliance outcomes. So having a process to continually monitor and assess your baseline information is critical because this information changes regularly, so manual processes will fall apart within a few weeks as it will become too hard to control, and will be a full time job.

It is common to feel like you’re “chasing the train” when it comes to knowing who has access to your critical information and systems. Where do I start? what data will I need? and how can I change my manual processes?

As always, I’d be happy to help you handle these issues.