Identity security is often looked at from the technology perspective. However, the voices of business stakeholders, those using identity and access management (IAM), also need to be heard.
To get that particular insight, the Identity Defined Security Alliance (IDSA) and Dimensional Research surveyed more than 300 HR professionals who oversee workers who join the company, move within the company, or depart the organization; sales managers, who represent the business teams and who are concerned about the productivity and sensitivity of the data being accessed; and help desk teams that handle access requests and removals, and resolve access problems. These employees are in charge of setting up, managing, and removing identities from the system, and they have a unique stakeholder perspective.
Challenges Stakeholders Face with IAM
Identity security begins with identities. Adding and deleting identities to the corporate network doesn't happen overnight, but it also shouldn't take a week or more. However, nearly three-quarters of the respondents said it takes at least a week for a typical worker to get access to required systems, while one in five sales managers reported it can take a month or more to revoke access. Employees lacking access impacts productivity; former employees maintaining access creates risk.
Why does it take so long to delete identities from the system? Over the course of a job, an employee can build multiple and complicated identities. Not every identity is connected to the local directory. Some are backdoor, admin-level accounts. Revoking a worker's identity across the entire company can be hit or miss if there aren't robust management systems in place. There have been situations where former employees continue to have access without anyone's knowledge until the company has a data breach. For example, the cybercriminal group responsible for the Colonial Pipeline ransomware attack used the password of an active but unused VPN account.
Data and proprietary information theft is also a serious concern, especially during the offboarding process. More than half of sales managers reported having former staff who stole information when leaving the company. Yet only 38% said an employee exhibiting suspicious behavior on the job would immediately be terminated. There needs to be a quicker response to bad behaviors by restricting access when there are red flags. Having an automated process will offer a quicker response, but it also allows the employee to show innocence if there is a dispute. Most importantly, culture around security needs to change, but technology must also be in place.
From a cybersecurity perspective, employees not having access decreases risk. But from a business productivity perspective, not having employees up and running quickly hurts the company. This inability to onboard efficiently is a lack of integration between products. No matter what software is used, the key piece is to have an automated workflow from the moment the employee joins the company. In addition to properly preparing the hardware, other best practices include:
- Automated provisioning and deprovisioning in tandem with business processes. This reduces the number of manual access changes and offers the full benefit of IAM programs.
- Having an access governance committee (even if this is a small group of executives between key stakeholders; likely HR, IT, security, and legal) or robust policies enabling an accelerated onboarding process.
The Processes and Room for Improvement
It is difficult to accurately manage access without a clear line on responsibilities. Sometimes it is HR, but other times it is the IT department. When more than one department is involved and has ownership of system access (and 78% said they do have more than one department in this process), this can cause conflicts in decision making, delays, or even over-provisioning of access.
One approach is to delegate one owner through an access governance committee. This committee offers one unified voice for identity management and is made up of stakeholders who are accountable for leading policy creation for access and identities, and who enforce that policy across the organization. As a single voice, the committee would define access policies and define the metrics to measure performance against identity-related goals. The data at use should be a driving factor on who is considered an IAM stakeholder. For example, if the data access is financial, someone in the financial department should be the decision maker.
As more CISOs take ownership of IAM programs, it shows the importance of identity security. This should guide the efforts for security teams to work closely with business stakeholders to streamline account access in a manner that keeps employees productive and eliminates forgotten and inactive accounts. Identity-centered security allows both business and technology stakeholders the opportunity to protect the organization from identity-based cyberattacks.