H2FY20 You can get IAM right: Access Management

Westley: Give us the gate key. Yellin: I have no gate key. Inigo Montoya: Fezzik, tear his arms off. Yellin: Oh, you mean this gate key. The Princess Bride - 1987 governance matters. This section will address the foundational concepts of access management. It’s a simple equation: Authentication + Authorization = Access. Even though it may be a simple concept, the realization of it is much easier said than done. Access Management – After all, So why do we struggle to get it right? The vast majority of organizations spend most of their IT focus on the day-to-day tasks associated with granting access. Their never-ending focus seems to be on if you can’t get to your stuff, making IAM processes as efficient as possible. But, once again, the challenge is complexity and diversity. You know that with every system, a point of authentication and an account must what’s the point? be set up (‘provisioned’) for user access, including a password that must be maintained. These tasks usually fall on IT because they have the administrative rights and tools to set up accounts and enforce password security rules, as well as reset passwords, when necessary. This complexity is well illustrated by data from The Aberdeen Group, who surveyed thousands of companies with an average size of 21,000 employees on the current state of their IAM approach. Results show a tangled web of complexity that traps organizations in the lower tiers of the pyramid. • It’s all about access … isn’t it? The only reason potentially 198 places where accounts must be set up and managed, 198 different passwords and password policies, and dozens of IT professionals technology exists is to make people’s lives easier. The only reason the IT department exists is to make people’s use of technology easier. And just to support users on this wide range of applications. • many of your users can remember 13 different passwords? And who has to help them when they forget? days is that there are outside forces that demand • to do their jobs. And who is responsible for setting up those accounts? How many IT teams must be involved to ‘fully’ provision a user? It could be the threat of a nefarious party from outside of your organization trying across information that you would rather they not see. Perhaps it’s the threat of some pencil- pusher throwing the book at you for some rule you never knew existed. No matter what the scenario, managing access is a requirement of today’s business world. As discussed in the earlier chapter on fundamentals, the foundation for everything is access. When access is broken, no amount of security, control, management or 4 On average it takes 12 hours to provision a new user. That’s a full day and a half where users are being paid, but don’t have the access they need technology. to steal data, break systems, or just prove a point. Or it could be insiders stumbling On average the typical end user must access 27 different applications. Even if only half of those require unique passwords, how the only reason everything is so difficult these that someone control who can do what with On average, surveyed companies supported 198 applications. That’s • On average it takes 4.9 hours to de-provision a user. That’s more than half a day, giving a disgruntled former employee plenty of time to do damage. For these reasons, IAM has often been considered the realm of ‘provisioning’ and ‘single sign-on.’ After all, setting up an account and giving a user only one password should eliminate the need for IT-assisted password resets, at least in theory.
Please complete the form to gain access to this content