With organizations increasingly focusing on access governance (as they should!), it would be foolish to underestimate the importance of Identity Management. Data on the what, why and when of information access must be complemented by the knowledge of who accesses data—in other words, the identity of the person accessing data. Identity management refers to the process of creating and implementing policies that define roles for every member of the organization (employees and vendors), and their associated privileges and access rights. The level of access that a user enjoys to applications, data, and different parts of the network,are defined by his role and responsibilities, and what he needs to perform his job.
An identity management system helps to automate provisioning, re-provisioning and de-provisioning of users as well, reducing time and effort spent, as well as human error.
Identity management is more than simply governing user access rights. It includes: a) defining enterprise-wide access policies; b) designing reporting mechanisms; c) defining rules-based alerts for when there is an unusual request or when a user tries to access information outside the scope of his role; and d)the regular monitoring of role assignments and changes (when employees move out of the organization, a particular role, or to a different function, and their identity within the organization changes accordingly).
Best practices in implementing an identity management system that can enhance security and compliance
- Establish a single virtual directory of identities that consolidates the multiple directories spread across the enterprise. This is essential to facilitate both the standardization of authentication systems as well as access management and governance.
- Assign access permissions to job roles rather than to the people in those roles.Linking permissions to people who may change their job roles (and thus, responsibilities) or quit the organization could result in privilege creep or orphan accounts if access governance is tardy. Linking permissions to job roles allows for easier long-term identity management.
- Establish a workflow that automates the processes of requesting for and approving access rights. This can make the identity management more efficient. Such a workflow should be complemented by a self-service user interface that offers employees, data owners and business decision-makers a detailed view of identities and associated access rights.
- Since identity management is so closely linked to compliance initiatives, it is imperative to consider the impact of regulatory compliance requirements on identity management systems during the planning stage. Essentially, these requirements will inform the scope of the system.
- It is not advisable for IT to be overly involved in identity management; instead limit their role to developing and implementing the appropriate tools and infrastructure. Essentially, when IT is enabled to grant access based on requests, without the benefit of business context, it will be unable to take an informed call on whether that level of access is appropriate for that particular role.
- Have a strong review process in place. Identities are dynamic, and it is imperative that the organization engage in frequent recertification to ensure that the right people have access to the right data. Continual reviews of identities and their assigned permissions reduce the enterprise’s exposure to risk.
Finally, remember that just like any other aspect of security, identity management too is an on-going, iterative process that does not end with the implementation of a solution.