It’s Criminal to Overlook Access Management Software

It’s Criminal to Overlook Access Management Software

Prevent white collar crime.

So much crime today occurs because nobody is paying attention to the identity and access management software. I was reminded of this last week when the National Credit Union Administration — the federal agency that oversees credit unions — barred Edgar Kelly from having dealings with any federally insured financial institution.

Seems harsh, but do not feel bad for Kelly. The reason for the punishment is that a year ago Kelly was sentenced to 33 months in prison following his conviction for stealing from KBR Credit Union in Tacoma. Kelly was not your ordinary “bank robber” though. Kelly had been a teller and office manager for 13 years at KBR and during 10 of those years he had been transferring funds from transactions he handled to his own account rather than that of the credit union.

For 10 years, Kelly accessed funds and rerouted them by making these funds transfers at strategic times and altering the paperwork. Only after an internal audit of the accounts in 2010 revealed discrepancies in these transactions was Kelly’s nefarious scheme uncovered.


Kelly’s case reminds us once again that the biggest threat to business lies within its own confines. Employees are the ones who know the business the best and are in the best position to find the holes in its security. This is not to say all employees are out to get their employers, but there are a few, which is why there is a heightened focus for improved risk management when it comes to security in businesses of all types — whether they are financial institutions handling people’s money or companies handling people’s personal information.

Most companies believe they are secure with their identity and access management software, but for the past decade, we’ve seen more and more issues of internal access gone wrong. Identity access management software, historically the purview of IT, has become increasingly more problematic, failing to deliver on its original intent to track access usage, control who has access to which resources, and ensure transparency for business line managers to make better decisions.

For more than a decade, IAM systems have been promising to deliver on this, but delivery of the basic security needs — accountability, control and transparency — have not fully come to fruition. Moreover, regulatory requirements have forced organizations to take a hard look at how secure their applications and databases are against theft. Given that virtually all organizations have employee and customer data on their systems — social security numbers, birth dates, credit card accounts, etc — all carry a substantial risk of liability should a security breach occur.

Banking on Identity and Access Management

Unfortunately, organizations have been slow to implement new, state‐of‐the‐art identity and access management software audit controls. Most large organizations have begun implementing such projects, but few others have fully deployed them across the enterprise and certainly have they deployed IAM at its most advanced capabilities.

Regardless of whatever phase of IAM an organization happens to be at, the long-term strategy should be to evaluate its IT cyber security needs regularly and decide how well its current identity access management technologies are meeting its current needs…chances are they are not.

But the identity and access management software field is constantly being redefined. Innovations are coming to fruition as new technologies streamline this aging industry. These new, innovative technologies will drive down maintenance costs and allow organizations to evolve as the technology is deployed, thereby avoiding costly business disruption. You can bank on that!

Check out what Avatier Lifecycle Management can do for you. You can also view the Lifecycle Management Product Introduction.

BP_identity-management Get a Free Copy of the Top 10 Access Management Best Practices Workbook

Begin your identity and access management initiative by following expert recommends for business process workflow automation, self-service administration and IT security.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).