five-access-management-myths
Business Management

Christian Zander (Global) - Five Access Management Actions for the New Year

Every day we see reports in the media of yet another data breach and more often than not these seem to be taking place internally. We still need to be aware and proactively managing the ‘outsider' threat; however, by taking just five access management actions in 2013 we can also contain and control the ‘insider' threat.

Based on anecdotal evidence from working with numerous large organisations over the last few years, we've found that labour intensive internal access controls are often overlooked and/or not kept up-to-date which can provide the opportunist with access to sensitive data. So, this is not just a way to stop determined internal ‘hackers' but also to protect employees who may come across data unintentionally. It's all about trust: ensuring you can trust your data and employees and also that your employees can trust the organisation to protect them.

Recommended New Year's Resolutions for 2013:

Find out where your data is and who can access it
Many organisations think they know who's looking at their data, but without being able to actually see and report upon who can access what data, how can you be sure? You will no doubt have processes in place to enable user provisioning and deprovisioning, but these are often complex, error-prone, manual processes that may not be the highest priority for the IT department. When a new employee joins the organisation they may need Active Directory (AD) and Sharepoint accounts plus access to specific physical and virtual file servers. Conversely, when the employee leaves the organisation or moves to another department or project, these access rights should be updated.

The challenge is how to keep a track of all these changes and know that the right people have the right access. One way is to be able to delegate the granting of access rights to the actual data owners or stewards; however this can only be achieved if the complexity and time required to implement the changes can be reduced and simplified. This brings me to the second recommended resolution for the New Year...

Streamline your Access Rights Management process (this doesn't need to be complicated and is well worth the effort)
Taking on a project to streamline a series of manual processes can be complicated and be perceived to take a disproportionate amount of time. How often in business do we hear the limiting, short-term comment: ‘it's quicker if I just do it myself'? But of course with any repeatable process, it is in reality judicious in the longer term to assess, streamline and implement a more efficient process.

This may or may not involve the use of software tools and applications, but may well involve training and of course documentation. Job ownership can often be a barrier, but by reducing the amount of manual effort required to managing access rights, the IT department can focus on more interesting activities. Our experience shows that by streamlining and automating this process, organisations can save time, costs and frustration - amongst their IT department, the data owners or stewards and the actual data users. Streamlining also helps the organisation to become more agile and be able to more quickly set up (and close down) specific project teams, for example.

Don't assume that employees are sufficiently sensitized about what they should or should not do with company sensitive data
This is an interesting one. Of course we all expect our employees to be guardians of our data: they all attended an induction briefing and signed the appropriate policy when they joined, didn't they? Most will take on this responsibility, but what happens when they realise that their short stint in HR as a graduate recruit, still enables them to check everyone's pay levels? We can all be tempted. This is my point above about trust. Organisations have a duty to protect not only their sensitive data but also their employees. Let's keep temptation out of reach, then the ‘insider' threat - whether planned or opportunist - can be controlled.

Find out how much managing access rights is really costing you
We're all facing shrinking budgets. We've found that organisations that look closely at their access rights management processes will see that this is a great place to start stripping out costs (and saving time). Automating the provisioning and deprovisioning of access rights, running reports and generating alerts if unauthorized access is attempted all saves time and effort, whilst enhancing security. And if the process can be simplified or automated to such an extent that non-technical data owners or stewards can manage their own access rights, this not only frees up expensive IT resources but puts control into the hands of those nearest to the data.

Finally, sit back and check just how much ROI you've achieved by actioning the first four resolutions.
You'll quickly see that significant ROI is achieved through cost savings and by increasing the flexibility and responsiveness of the organisation. Cost savings include reducing the amount of manual input required to manage access rights and reducing both errors and exposure - a data breach can be very costly in terms of fines, reputation and competitive advantage. Not so easily measured is the increase in profitability of the organisation by being able to quickly set up new project groups, move employees to new teams or departments (or even companies in the same group) and in doing so, respond to changing market needs. Sounds like a great ROI and a great start to the year to me!

Bottom line? Perhaps the key New Year's Resolution is to rethink how you approach managing access rights. This is not just an administrative task but a business critical activity. And with the ever-growing strategic importance and reliance on data, best practice stewardship is essential. We're living in an age of ‘big data' let's make sure that in 2013 our sensitive data and our employees are protected and can be trusted and trustworthy.

 

By Christian Zander, CTO & Co-Founder, protected-networks.com GmbH

PREVIOUS ARTICLE

« Adrian Schofield (Africa) - IT and Education in Africa

NEXT ARTICLE

Dan Swinhoe (Global) - IT New Year's Resolutions »

Recommended for You

How to (really) evaluate a developer's skillset

Adrian Bridgwater’s deconstruction & analysis of enterprise software

Unicorns are running free in the UK but Brexit poses a tough challenge

Trevor Clawson on the outlook for UK Tech startups

Cloudistics aims to trump Nutanix with 'superconvergence' play

Martin Veitch's inside track on today’s tech trends

Poll

Is your organization fully GDPR compliant?