Role Based Provisioning and Access Control Discussion Part 1
November 1, 2012The key business drivers that make identity management important are financial discipline, operational risk and compliance with legal and regulatory requirements.
Organizations survive in the face of many risks, including market risk and operational risk. Market risk includes for example, investing in products that do not meet the needs of the customers or where competitors provide better or cheaper products. Operational risk covers aspects such as processes being vulnerable to theft, fraud, disruption or mismanagement.
Better management of the way in which employees, partners and customers are identified and their access is controlled and audited can mitigate some of these operational risks.
Although hacker and virus attacks are well publicized, the insider remains the greatest threat to an organization in terms of potential to cause financial loss. One of the main reasons for this is that the insider understands the organizations systems and is hence able to spot and exploit any weaknesses. Another is that they have physical access to systems and this is often poorly managed.
In order to reduce the risk of identity credentials being stolen and used by people other than their rightful owner, many organizations have security policies that mandate the use of passwords which are changed frequently, for example every 30 days, and which follow complex rules. These passwords are difficult to memorize and, since users may need to access several applications, this in turn leads to users writing them down – which negates the whole point.
Strong authentication technologies can potentially overcome this difficulty but many organizations cannot afford the changes that would be needed to their applications necessary to achieve this.
Access rights are normally set by security policy according to the role of the individual. However as individuals move through the organization it is often the case that new rights are added. Unfortunately, existing rights that are no longer needed are not always promptly withdrawn.
This is usually because it is difficult to see what rights an individual actually has and how these relate to the security policy. Administration staff is therefore reluctant to remove rights to avoid taking action that could make an individual unable to do their job. This access rights creep increases operational risk.
Promptly disabling all the access rights of users who have left the organization is another critical issue. Often organizations are unable to reconcile access rights with people. This makes it difficult to ensure that when a person leaves the organization their access rights are removed. These residual rights pose a clear risk.
Managing who is able to access what information is critical to complying with these regulations as well as reducing risk. Improving the identity management process, including the provisioning, authentication and access control processes, can reduce costs and improve efficiency.
Opening up the organization to allow partners and customers to access information and to securely purchase products can provide competitive advantages and worthwhile improvements in efficiency.
www.bestitdocuments.com