A look at the perils of manual user-access provisioning and ways to streamline and better manage the process via automation.

Sean Martin, CISSP | President, imsmartin

May 24, 2016

9 Slides

The information security team is often seen as the department of “No.” At best, it's viewed as the department that impacts productivity and drives down employee satisfaction. Take the simple task of an employee getting access to business resources to do his or her job.

One of a few scenarios takes place:

  • A request for access or a password change is made and takes ages to complete: A new employee joins the company and requests access to a business system. Three days later, complaints roll in: “I still don’t have the access I need to get my work done.”

  • A request for access or a password change is made without any formal process in place and the request gets lost in a black hole: 60 days have passed and the employee is required to change their passwords, for every system and application to which they’ve been granted access. (Keep in mind not all systems and applications were granted on the same day, 60 days ago).

  • A request for access or a password change is made directly and informally, and too much access is given to the user: A member of IT asks the SysAdmin of the routers to request an admin-level login to a router to change something so they can run a quick test on a new application. Rather than creating a new time-based credential, the busy SysAdmin sends an email that reads, “Here’s the admin username and password for router XYZ—please don’t share it or abuse it!”

  • No request for access is made. The user instead finds a different service or means to get their work done—thank you, Shadow IT: An employee needs to share large files with their new external business partner and therefore need access to the company’s cloud storage service. It took IT more than a couple hours to grant them access, so they signed up for their own personal cloud storage service and share the company’s financial data that way.

IT, the help desk, and InfoSec teams are overwhelmed with these types of requests and they have no easy way to collaborate with each other to make the process better. The challenge comes down to connecting IT, InfoSec, and HR operations together such that integrated, streamlined workflows can exist.

Organizations are hunting for such operational timesavers, many times starting with help desk systems (like ServiceNow) and HR employee management systems (like WorkDay). In fact, many organizations have already invested heavily in these types of systems. To this point, at the recent CentrifyConnect conference in New York, about a quarter (25%) of the audience said they use ServiceNow, and about 15% use Workday.

Just because things are manual and cumbersome doesn’t mean you can take credential management lightly, especially given that most of today’s attacks compromise the identity as the primary means for attack. According to the Verizon Data Breach Investigations Report, 63% of the confirmed data breaches involved weak, default or stolen passwords.

Conversely, you can’t focus solely on controlling access. 

Take a look at the options for end user provisioning, and how to maintain a proper level of access control while minimizing the operational impact on IT, InfoSec, and HR -- as well as improving the experience for end users:

 

About the Author(s)

Sean Martin

CISSP | President, imsmartin

Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as government, finance, healthcare, insurance, legal, and the supply chain

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights