Provisioning systems often include identity management capabilities. This allows control and organization of what can be a major problem area for a lot of companies, namely the management of access rights and passwords across multiple systems. When security auditors ask a company’s IT management for a list of all key computing resources and details of which staff have access to which resources, it is often impossible to produce a definitive list because the information is spread across the internal access control lists of many different servers running a multitude of operating systems. A corporate inability to accurately list the components of someone’s electronic identity makes auditing difficult and will hinder investigations if a system is hacked.
Identity Management software allows companies to define roles which correspond to job functions, and then by assigning staff to one or more roles their access rights to multiple systems can be easily granted, revoked or changed with ease. By providing the ability to report on users’ access rights, and to cross-reference these via customized reports, identity management software can alert companies to potentially dangerous or even illegal situations before they arise. For example, an employee who has access to the procurement system for placing orders should be prevented from subsequently being granted access to the system which issues payments to suppliers, in order to prevent fraud caused by an employee setting up a bogus company. Identity Management software can warn against such cases, even if access to the second system is granted many years after the first.
Identity Management solutions also generally have facilities to allow users to automatically request password resets, thus freeing the help desk staff from the expensive and time-consuming tasks of dealing with users who have forgotten their passwords.
Top Tips for managing Joiners, Leavers and Movers
1. Some joiners request access to internal systems before their official start date, in order that they can start introducing themselves by email. This is inadvisable, as the employee probably won’t have signed all his contracts yet and thus will not be governed by the company’s IT Conditions of Use or Acceptable Use Policies.
2. If key clients and external partners are given access to your company’s network, ensure that each registered user has a unique username so that their actions can be tracked and logged. If such a user changes employer or job function, consider whether their access is still relevant. For example, their new employer might be a competitor of one of your company’s external divisions.
3. If an employee changes roles within the company, examine the systems to which they have access and consider how this needs changing. Promoting an employee doesn’t necessarily mean that they still require access to all of the systems they were previously entitled to use.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.