Partager via

Lack of Identity and Access Management presents a security issue

  • Article

Was reading this article today https://www.informationweek.com/news/showArticle.jhtml?articleID=197800130 and I absolutely agree with it!

Lots of companies use directory services as part of an identity and access management strategy so I'm actually surprised at only 64% saying they had identity and access management technology. Most companies (like 90% plus) at least use Active Directory or some sort of domain service for authentication - even in small business.

What I do agree with is poor identity management still causes security issues everywhere. We as IT Professionals give them logon accounts, application accounts and (if youre unlucky enough to be lumped with Lotus Notes or some POP3 thing), an email account too. All of these have separate passwords too. In many cases we're never told when the employee is leaving by the HR folk. Yet when we think about identity management we instantly think about single sign on (SSO). The problem is that we havent even thought about how much its costing us to create a user and retire them let alone what the security issues are that we are facing. SSO in many cases is about the symptom and not the root cause. It will not fix the core security issue if you have a poor password policy and dont know who has access to what and when. SSO is about convenience and convienence should never be the business case for security.

Ive said in a number of presentations now that we need to think about secure business processes. What is the hire/promote/retire process for an employee? Is that something we can model as a defined process? Think about it. Would the users really complain if they only had one username and one (strong) password to authenticate to each system? Assuming that you dont have some sort of security reason to separate the application access with a different credential (reasons could be the app is insecure or its in a different security zone) then you should be able to provision them as they join the organisation and retire their access as they leave. Youll save your business lots of money and make it more secure at the same time!