Principles of Access Management Control

Principles of Access Management Control

Remove unauthorized users automatically

Access management involves effective management of all users’ and their enterprise access. Enterprise access management encompasses suppliers and providers as well as employees. Too often, organizations wait for a security incident before deploying sufficient access management controls.

According to the recently released Forrester report, Understand The State of Data Security and Privacy: 2015 to 2016, internal incidents were the leading cause of security breaches. The root cause of an internal incident stems from either:

  • Privileged accounts from within an ecosystem
  • Former employees who were never de-provisioned

Each case points out too many unauthorized users access too many enterprise systems. Unauthorized access begins with manual onboarding and human error. It accumulates as access privileges get grandfathered through the employee lifecycle. This exposes great risks when access termination processes are inadequate.

Preset Access Management Controls

Security breaches show unauthorized accesses can be mitigated with identity and access management controls. Access management includes preset and real-time access controls. With preset access controls, user access is largely based on roles. In such cases, access privileges are determined by a couple of principles that establish the access a user has. They identify the systems a user can access. They also control a user’s view and interactions.

Preset controls take into account a company’s operations and policies. They enforce industry regulations and an organization’s security initiatives. Preset controls are based on:

  • Principle of least privilege: grant users only privileges essential to performing their work.
  • Segregation of duties (SoD): add checks and balances to activities and transactions.

The principle of least privileges prevents onboarding inconsistencies and grandfathering. It removes human error and provides governance when assigning new access, performing transfers and terminating accounts.

SoD controls make organizations relate authentication, system data, workflows, and access privileges. They insert checks and balances into business processes by requiring more than one person to complete a task. SoD’s enable audit capabilities over privileged identities and other risks and help identify out-of-norm access privileges, as well as orphaned accounts. SoD’s are important for ensuring SOX compliance and confidence in attestation reporting. They also automatically decommission terminated access.

Real-time Controls

Real-time access controls regulate users once they are granted system access. These controls specify the data users see, the activities they can perform, and requests they can make. They also route requests for approval using built-in SoD controls. Real-time controls occur transparent to users when making requests. Whether Web-based, mobile app or enterprise system, they certify requests are complete, compliant, and logged.

For many enterprises, de-provisioning a user’s network accounts and access is a manual process. Failure to de-provision with certainty creates significant security vulnerabilities. Real time de-provisioning controls save time, operational costs, and worries. In most cases, real-time de-provisioning represents a more critical user management consideration than provisioning. De-provisioning must be completely automated to enforce proper security. It entails removing system and application access, archiving shared resources, like mailboxes, and logging actions.

Two-factor and multifactor authentication increase security control over access. The extra authentication better confirms users are who they claim to be. In addition to passwords, the process makes users further identify themselves. Strong authentication offers more security control over access to data and applications. This can be conducted through SMS texts to their mobile phone, a notification to an alternative email address, questions they set up, smart cards, tokens and even biometrics. Particularly for privileged users, two-factor and multifactor authentication mitigate risks from unauthorized access.

Access management uses the principles of least privilege and SoD to secure systems. To prevent unauthorized access, organizations require both preset and real-time controls. Preset and real-time access management controls mitigate risks from privileged accounts and employees. They ensure de-provisioning with certainty when employees leave the company. They add two-factor and multifactor authentication to privileged user requests.

BP_identity-management Get a Free Copy of the Top 10 Access Management Best Practices Workbook

Begin your identity and access management initiative by following expert recommends for business process workflow automation, self-service administration and IT security.

Request the Workbook

Written by Thomas Edgerton

Thomas Edgerton, Avatier's MVP award-winning Market Analyst and Performance Consultant in information technology, IT security, instructional technology and human factors, blogs on topics ranging from leadership to national security, innovation and deconstructing the future.​