Five burning issues in access management
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
""SharePoint is the new Wild West of potential data leakage"
The business and technology trends that are driving demand for more intelligent identity and access management tools. Presented in partnership with SailPoint
Compliance
Traditionally, managing access rights to applications and data was seen as nothing more than an IT admin job. But since the Sarbanes-Oxley Act took effect in the US in 2004, it has become a board-level issue.
The Act obliges any company listed in the US to demonstrate that their financial risk is understood and under control. This includes the risk of inappropriate access to financial systems, so companies need to be able to show that they have access management under control and that it can be audited when necessary.
"Sarbanes Oxley is a huge driver for access management among multinational corporations, because it means that external auditors are getting involved," says Jackie Gilbert, co-founder of identity and access governance supplier SailPoint.
However, these organisations also have hundreds if not thousands of applications of material significance. According to Gilbert, the first generation of automated access management tools were expensive to implement, so they would rarely used them with each of these applications.
"The typical company usually stopped at the high return-on-investment applications, such as email or network access systems, where there's huge payback for automating provisioning."
But when every system needs to be auditable, that approach is no longer up to scratch – which is why SOX is driving organisations to seek more effective access management automation tools.
Job movers
Most organisations will have a defined process in place to make sure that new employees are given access to the systems they need when they join and that their access is taken away once they leave. But for many, there is an access management blind spot when employees change roles. A promotion or horizontal move within the organisation can significantly affect the access rights of an employee, but often these moves will not receive the same attention as a joiner or a leaver.
The most notorious recent example of this is that of Jerome Kerviel, a former trader at French investment bank Societe Generale. Kerviel lost the bank €5 billion by making risky trades and covering his tracks with access permissions he should not have had.
"The problem was that Kerviel changed jobs, from working in the middle office to being a trader," explains Kevin Cunningham, SailPoint's co-founder and president. "Those jobs involve access to completely different set of applications. He got away with what he was doing because he could use admin privileges to cover his tracks."
"Job movers are the biggest challenge organisations have because companies are not really tracking what access people have" throughout their tenure at the company, he adds.
IT is not the expert
It is quite understandable why the job of managing access to applications and data has traditionally fallen to IT admins, as it usually involved using highly technical tools.
However, IT admins are not best placed to understand how access rights relate to the various job roles within the business. "You can't go up to an IT manager and ask whether an employee's access rights are appropriate," says Cunningham. "They won't know what access a junior clerk working in the accounts payable department should have, for example."
In the past, says Cunningham, making sure access management was governed by the policies of the business involved a time-consuming process of translating access rights data into terms that business people would understand. "It was hugely inefficient and hugely ineffective," he says.
Instead, he argues, access management tools should be simple enough for a line manager to use, as they are the ones who understand what access their direct reports are entitled to. "The intersection of system access and identity compliance requires a business person," Cunningham says.
NEXT >> How access is used, and the risks of SaaS
