Information Security Today Home

New Books

Software Quality Assurance: Integrating Testing, Security, and Audit by Abu Sayed Mahfuz; ISBN 9781498735537
Enterprise Level Security: Securing Information Systems in an Uncertain World by William R. Simpson; ISBN 9781498764452
Big Data: Storage, Sharing, and Security edited by Fei Hu; ISBN 9781498734868
Mastering the Five Tiers of Audit Competency: The Essence of Effective Auditing by Ann Butera; ISBN 9781498738491
Information Security Policies, Procedures, and Standards: A Practitioner's Reference by Douglas J. Landoll; ISBN 9781482245899
Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval, Second Edition by David R. Matthews; ISBN 9781498739580

Spring Clean Your Network with Automated Access Management

By Dean Wiech. Managing Director of Tools4ever US

Spring is the time for cleaning, for coming out of one's shell, opening up the blinds and windows, and welcoming the sun into the long, dark places created by the previous winter. Most of us partake in the annual rituals of cleaning our homes, cars, offices, and workshops. But, what about our organization's software? Organizations need to take some time to look at all of the software, applications, accounts and licenses they have available for the company and clean house of those that are no longer needed but possibly being paid for. These applications aren't just a waste of space on the company's network. They may be costing the company hundreds or even thousands of dollars every year, for un-used licenses. Even worse, they may actually be a security risk!

Here's Why This Is an Issue

Often, network admins have no clear idea of accounts and access on the company's network. This is not because they are apathetic or haven't bothered to look into it, it is just exceedingly difficult to track. The IT department is very busy with other, more pertinent issues and to constantly monitor accounts and access is very time consuming. Organizations need to have network admins sit down and take a look at exactly what needs to be cleaned out. They then need to put solutions or guidelines in place for the organization to follow going forward.

So, if it isn't because of admins being diligent, then why does this happen? The most common reason is that the organization has no real overview of access rights and who is using what systems and applications. For example, an employee may be given access to a certain database based on their position, but are they actually using it? Is it still pertinent to their job? Your organization may be paying for licenses and your employees may not even be using them.

This access might also have been accidentally provided to them. It is very common for employee accounts to be copied from a similar template when they first join the organization. So they may have been given a license to a system that is not needed.

While this is a waste of resources for employees who are not using them, the company might also be paying for licenses for employees who are no longer even with the organization. When an employee leaves or gets dismissed from an organization, disabling all of the accounts they have is an often overlooked process. This is because a manager needs to manually access each of the systems and disable the account. Even worse, the ex-employee might be using the resource that you are paying for. There have been many cases where an employee who is no longer at the organization can gain access and download information or still use the resource while at a new job. Without a clear overview of usage and access, an admin would need to manually create a report. This is why companies are often overpaying for licenses and solutions.

How Can You Mitigate This

So now that we know exactly how your company is potentially wasting money and why it is happening, how can this be solved? It would be impolite of me to tell you what you may be doing wrong without giving you a way to correct it.

Many identity and access governance (IAG) solutions allow for an organization to automate their entire user account lifecycle and easily gain visibility to access and usage rights. How does this work? Some IAG vendors can set up a reporting system that allows the company to generate and provide IT managers, systems administrators and application administrators with a dashboard that lists the number of times an application has been launched by an employee, the number of minutes the application has been used, as well as the idle time in minutes. This is extremely valuable insight, which can easily be generated and make a huge difference in license costs.

If an application remains unused for a long period, the application can be revoked. In some cases, a warning can be sent to the user or manager so that they are aware that the resource is not being used and may not be necessary. The organization can then easily clean up the network of any un-used accounts and licenses.

While this saves the organization a great deal of money by eliminating software and licenses that are not needed, it also saves a great deal of money for audit needs. An IT employee no longer needs to manually determine access rights for audit reports. A report can easily be generated to show the exact access rights and even any changes the employee made in each system and application.

Going Forward: Types of Solutions or Guidelines to Put in Place

While this cleans up the network for the time being, how can it be ensured that the network is kept neat and efficient easily going forward? Access governance solutions and guidelines can be implemented to allow rights and usage to never get out of control again. AG solutions ensure that access rights are correct, thus in turn ensuring that employees don't have access to applications and licenses that they do not need.

A company should first set up a role matrix, which sets in place a model for exactly what resources that each position within the organization needs. This sounds daunting doesn't it? With the help of an experienced identity and access governance vendor, though, this can be achieved efficiently without a huge hassle. There are several methods that make this process extremely easily, such as pulling current access rights from your applications as a starting point.

After the model is set up, when a new employee joins the organization they are simply entered into the source system and depending on what their role is going to be, they receive the exact rights and resources which they will need.

A manager can then be sent a report of access rights for all of the employees within his or her department. This report can be sent every week, month, year or any other set time that company leaders would like. This allows them to easily check that each of the employees has the correct access and licenses for the resources that they need. Perhaps an employee received too many rights for an application he does not even use. A manager can easily correct the issue by disabling the account.

This is also helpful for when an employee is no longer with the organization. When an employee leaves, it can easily be ensured that all of their accounts are disabled and that the company isn't paying for a license. It is as simple as a manager disabling the employees account in the source system, such as the HR system, which automatically disables the users account in all connected applications. This ensures also that an ex-employee doesn't continue to utilize a resource for their own personal use, or even for the new company which they are working for.

How Does this Save Me Money?

So, if it is already not obvious, cleaning up with network can save your organization a ton of money. Consider, as an example, a company uses Sales Lead System, which costs about $25 per user per year. If the company has 10 users who are either not with the company, given the license by accident or simply don't use the system, the company is paying $250 a year for something that is not even being utilized. Then if a new employee needs access to this application, the company unknowingly will need to purchase additional licenses.

Here is an example of an onboarding process for an organization: A new employee is hired in the marketing department as a marketing assistant and needs accounts and resources created so they can begin work. Based on the model that the company set up, the employee will automatically receive a Hubspot cloud account, Google Analytics account, access to the marketing shared drive and an email address.

Then, the organization has is configured so that once a quarter the marketing manager receives a report of all of the employees in the department and the access that they have, including the new marketing assistant. A few months later the manager sees that the marketing assistant has access to an application that he was using for a project that is now completed. The manager can easily tag the access to be revoked and ensure that it is done right away.

Overall, these solutions and guidelines can help save organizations in any industry a great deal of money and resources. Before looking for cheaper solutions or cutting back to save money, companies should first look at cleaning up their network and removing all unused resources.


 
Subscribe to
Information Security Today







Bookmark and Share


© Copyright 2016 Auerbach Publications