Prevent access creep within your organization
Welcome to part 2 in this 3-part series which sheds some light on how identity lifecycle management solutions, including ideiio capabilities, can help simplify and secure IT access for your organization’s joiners, movers and leavers.
First let me run-through what we mean by identity lifecycle management system and ideiio.
Identity Lifecycle Management also referred to as ILM is the practice of making sure the right people have the right access to the right systems at the right time with the ability to revoke access when it is no longer required.
At ideiio our platform is known internationally for its ILM capabilities, but as we can also provide auditing functionality to monitor who has access and when, this is more broadly referred to as Identity Governance and Administration or IGA.
So let’s get right to it and look at how Identity Lifecycle Management works for employees who move within your organization.
Part 2 – Movers
Employee access provisioning and deprovisioning (Mover)
When an employee moves within the company, changes are often required to their access. A user switching departments or changing their job function will typically require new access to be granted to enable them in their new role. In order to restrict access to only those that need it and ensure overall system security any access that the employee no longer needs should be removed. This will ensure employees don’t gather more and more access as they progress in their career (access creep), ending up with access and permissions that they don’t need. Access creep over time is a huge security risk to the company.
Why is user provisioning and deprovisioning important?
When an employee has more access than they need to do their job their security risk increases. Risks from employees with granted access are referred to as Insider Threats. Insider threats can come in two forms: intentional and exploited. Intentional threats occur when a user with access in a system decides that they want to use that access to do something that they shouldn’t. That could mean stealing data, misusing resources, sabotaging systems, or any number of other bad deeds.
Even if an employee is completely trustworthy and has no ill intent, having too much access presents security risks through exploited threats. For example if that employee gets hacked or their password gets compromised, then external bad actors can use that entry point to get into your systems. The more access available at the entry point, the easier it is for them to access your data and wreak havoc in your systems.
How can an Identity Lifecycle Management System help movers?
A Identity Lifecycle Management System can help ensure that a user has the access they need, and only what they need, by automatically provisioning and deprovisioning access, using the role based access control (RBAC) policies. As with when a new employee is onboarded the job change is typically driven by the HR System. When the employee’s record is updated with a new job or when a job is removed from their record the Identity Lifecycle Management System will automatically see that change and make the appropriate changes to the employee’s access. Old access that is no longer needed can be removed to ensure the user doesn’t have more access than they need, and any new access that they need for their new job can be added.
How can ideiio help with user provisioning and deprovisioning?
With ideiio connect continually monitoring the HR System any changes are picked up and synchronized to ideiio lifecycle management. ideiio lifecycle will determine if any access changes are required when an update is detected. If updates to access are required, ideiio connect will provision or deprovision access as needed.
Workflows can be tied to any lifecycle event for a user and provide custom processing based on changes in employee data. Over 45 out of the box workflows provide default behavior for these lifecycle events. All of these workflows can be customized…
..and new workflows can also be added based on lifecycle or system events.
I hope part 2 in this 3-part series has been useful and shed some light on how identity lifecycle management solutions can prevent access creep within your organization.