Within today's enterprises, it's common for organizations of all sizes to rely on many different applications to fulfill a variety of business needs. In smaller corporations, the access administration model tends to be distributed across many business lines or system owners. This model does not allow for a functional identity and access management program, meaning it's virtually impossible to manage user access, privilege levels and revocation when necessary.
Eventually, these organizations reach a maturation point where the access administration model must be assessed to determine if it's more efficient to centralize. This article lays out many of the process and security benefits of a centralized model.
The lifecycle of access for employees and temporary workers has three major phases:
- New access creation: Requiring new accounts on various systems.
- Access modification: Necessary when employees move from one job to another within the organization, requiring account access and privilege modifications, deletions and/or new accounts.
- Termination: Removal of all access.
For new access requests in a distributed access administration model, users that need access to multiple applications must make requests to multiple application owners. This often means filling out and submitting a variety of forms, which usually ask for the same data, depending on the system owner's governance process and interpretation of policy. As the system owners receive request forms, they provision the access and notify the end user. Unfortunately, the system owners won't grant access on the same day, so the end user will not have the complete set of access they need to do his or her job until the slowest system owner completes the request.
The process inefficiencies are obvious: multiple forms with similar information going to multiple system owners, who each provide access according to their own rules and requirements. If access reviews are required, this means a slew of uncoordinated emails to managers asking for access reviews and approvals.
The security concerns are worse. Each time an employee or contractor moves within the organization or is terminated, the old manager is expected to fill out a variety of forms requesting access modification, making each manager a potential failure point. If there is a process failure, there will most likely be accounts on systems that are inappropriate, or worse, belong to terminated employees.
In a centralized model, all system access is granted according to one interpretation of policy It also streamlines new user creation, modification and termination processes that can be based on one feed from human resources.
For example, when an individual joins the organization there is one request made for all access. The centralized provisioning team will be able to verify the new user is employed and who his or her manager is based on the HR feed. All access is granted at the same time as a single request and the user is ready to work when that request is complete.
When a user moves, there is only one group to notify for access changes and there is no need for a notification for planned termination because the HR feed will notify the centralized provisioning group of all the day's terminations. In the case of termination with prejudice (being fired), there is only one group to call to have all access shut down immediately.
Other advantages include the ability to have a single system access review generated across all systems, the beginnings of automated provisioning, fewer resources required to provision access and quicker turnaround time for requests.
I recommend moving toward a centralized provisioning model around the same time it's determined the company needs a helpdesk function. Moving towards this model will provide sounder information security practices, more efficient provisioning processes and will reduce the risk associated with managers as failure points. It will also put an organization on the road to a full-blown identity and access management program, which is essential to the information security program success of all midsized and large enterprises.
About the author:
David Griffeth is the Vice President of Business Line Integration and Reporting at RBS Citizens Bank, a financial institution that is one of the 10 largest commercial banking companies in the United States ranked by assets and deposits. As part of his responsibilities, David manages the Enterprise Identity and Access Management group and is charged with supporting the bank's growth model while maintaining compliance with several regulatory bodies. Prior to his current position, David consulted on major information risk management projects with large companies such as Fidelity Investments and CIGNA. David earned a bachelor's degree in computer science from Framingham State College and holds several certifications including CISSP and CISA.
This was first published in July 2009