When making structural changes, organizations often become exposed to hidden security risks, which can lead to significant financial and reputational damages if left unnoticed. This is particularly true when major jobs cuts or internal reshuffling is involved. In these situations, companies are so busy handling the human aspect of the changes that the security factor is often overlooked.
This brings forth need from more effective access risk management strategies that enable organizations to easily modify user access privileges in accordance with internal restructuring, hiring and firing requirements. However, one of the key issues when it comes to effectively managing access risk is the significant gap between access provisioning (i.e., the stage of allocating and provisioning access privileges), and access certification (the stage of reviewing user entitlements).
Most organizations review user entitlements every three, six or 12 months, which exposes organizations to significant security risks related to the access privileges of movers and leavers within the company. This remains a significant challenge because of the lack of real-time views into access risk.
The biggest challenge comes from the complex infrastructure of internal systems and external applications having to access sensitive resources within the organization. In large companies with numerous intricate internal structures, it is difficult to monitor which access rights have been modified, granted or terminated, leaving the organization exposed.
While the need to make large-scale job cuts is unfortunate, necessary restructuring has to then take place. Although a prime concern must be managing the departure of employees sensitively, there are other risks that must also be assessed, which require equally strong attention to detail and processes at what is often a very difficult time.
To align business security with access risk, organizations need simplified, comprehensive insight into which specific areas are causing the highest level of security risk. Yet, dealing with a complicated dashboard that provides data about hundreds of thousands – if not millions – of user relationships can cause more confusion than clarity on the matter of access risk.
A much more effective approach is to leverage heat maps that provide a simple view into the key areas of access risk and allow security experts to dwell into specific data if necessary. This approach will make it easier to link access risk to other risk factors, such as compliance issues and policy requirements, while enabling IT staff to locate the causes of security vulnerabilities and assess whether immediate action is necessary to remediate those issues.
Last but not least, to mitigate the security risks arising from major job cuts and business restructuring, organizations need to continuously enforce security policies to ensure compliance with regulatory standards and complete transparency into the access privileges of all users. When employees move between different user groups and require access to diverse information, the challenge for organizations to control access provisions increases. It is vital that only the right people are able to access certain resources for the right reasons, and that access rights are adapted, depending on the changing user roles.
Therefore, organizations require effective technology to continuously analyze risk associated with user access. Whereas it’s easy to ask a former employee to simply hand over office keys, terminating their access rights to applications and resources requires immediate attention.
Businesses need effective mechanisms in place to automatically terminate or change access rights in accordance with internal security policies and employment changes. Identity and access risk management (IAM) technology is the key to resolving these challenges. Real-time monitoring and assessment of risk and automated access provisioning/certification provide organizations with the tools to leverage user access. These solutions enable seamless, cohesive IAM processes to be enforced across enterprises, no matter how big or small, both in the cloud and on premise, so that leavers and movers within an organization do not pose security risks. This will enable organizations to achieve a real-time understanding of access risk, while maintaining full control of user entitlements and access provisioning at a time of major internal changes.
Marc Lee is director EMEA at IAM specialist Courion. Lee has more than a decade of experience in driving business growth of enterprise software providers across the EMEA regions, as well as building partner programs from scratch. Prior to Courion, he was responsible for building business development and channel programs for Imprivata in Northern Europe. He also helped develop key strategic partnerships with Siemens, VMWare and Connecting for Health.
Prior to his position at Imprivata, Lee served as the EMEA partner manager for JBoss, where he implemented that company’s partner program and was responsible for building the channel in the UK and EMEA regions.