Identity Governance: Seven typical pitfalls that companies should avoid
Identity and Access Management solutions have been developed due to the increasing complexity of IT environments and constantly rising requirements for the allocation and control of user authorizations. Identity and Access Management systems focus on the company-wide administration of users and their rights. Due to the ever-increasing threat situation and the associated stricter regulations, simple Identity and Access Management solutions are no longer sufficient in many cases.
Auditors and accountants demand a comprehensible insight into the allocation of user authorizations. This is where modern Identity Solutions come into place.
Identity governance is designed to prove that users have the appropriate rights based on the organization’s policies. This makes it clear that regular checks are mandatory in order to comply with compliance requirements and security guidelines.
Identity governance – avoid these seven typical pitfalls
Many companies that start an identity governance project don’t know at first in which direction they should go. If, as a consultant, you ask which specific compliance requirements are to be adhered to and checked, the answer is often silence.
As a result, the problem is not clearly defined due to a lack of requirements management. The motivation of the project is not asked, expectations are not aligned, the project goes wrong and the goals are not achieved.
If an identity governance project is started to check compliance and IT security requirements, the disappointment of the company is high, and it needs someone to blame: What was done wrong when and where, or even forgotten? Experience shows: Lack of communication often results in these seven typical mistakes that cause many identity governance projects to fail.
Identity Governance Mistake #1: Too much focus on technology
More important than the technology are the individual requirements of the company. What problem and what potential vulnerabilities should an identity governance solution uncover? The focus should be on the customer’s requirements and their compliance requirements. Only then should the focus be on the possible identity governance products and the required budget. The return on investment (ROI) in identity governance is measured by the detection and systematic elimination of vulnerabilities, and in a sustainably reduced risk.
Identity Governance Mistake #2: Lack of internal responsibilities and accountabilities
Many companies leave the responsibility entirely in the hands of the service provider. This is a mistake, because identity governance is not a purely technological issue. Rather, it is a process that involves two parties who should work together as partners.
A good IT security service provider keeps the business an integral part of the project at all times: in the form of a project manager and a mixed team with people who understand both the technical perspective and the business requirements and needs. At all times, companies must be able to understand the project, know the boundaries, and learn to read and understand the results of the identity governance system. Regular monitoring of the progress of the project – measured against the implementation concept – is as much a part of successful implementation as the work of the service provider.
Identity Governance Mistake #3: No project without an implementation concept
The most frequent and most serious mistake: companies forget to turn a technical concept into an implementation concept. The functional concept consists of requirements and functional specifications and is created by the respective departments: Based on the company’s performance requirements for the service provider (requirements specification), specifications for technical implementation are created by the contractor (functional specification).
A technical concept describes the big picture, while an implementation concept goes into detail: What is the underlying process behind the individual components of a project? What is the status quo at the time the consultant enters the project? What data is to be processed? How will analyses and reports be tested when they are ready?
Every process, every attribute in the identity and access management system that needs to be changed is recorded in writing in the implementation concept and integrated into a fixed time schedule. A simple example: Within a process, the permission of an approver is to be required in the future. The business concept specifies that the approver is to be informed by e-mail. However, this specification alone is not sufficient.
Many stumbling blocks lurk here that companies could fall over during the approval process. What exactly does the e-mail to the approver say? Who is the sender? Does the email need to be digitally signed? All these details are specified in advance in an implementation concept and thus leave no room for surprises during acceptance.
Identity governance mistake #4: Identity governance is not an objective in itself
Many companies invest in an identity governance system without conducting a performance review. If you want to know or have to prove whether identity governance is worthwhile, you have to compare the total costs with the actual reduction in risks. But how can risk reduction be measured and evaluated? What are suitable KPIs?
One metric can be the percentage of accesses and user rights that have been deactivated or deleted thanks to identity governance. It is true that this metric is influenced by various factors and fluctuates: when a company hires new employees, restructures divisions or even fires employees. However, if any fluctuations are taken into account, reliable and meaningful statements can be made. These can be used to realistically measure the ROI of identity governance.
Identity Governance Mistake #5: Close Your Eyes and Walk Away
Controlling compliance with access policies is usually time-consuming and costly – but unavoidable. Even optimally configured access authorizations cannot 100% prevent an administrator or user from doing something unauthorized. In addition to regular audits, identity governance must therefore always keep a watchful eye.
Our identity governance solutions permanently monitor compliance and automatically report rule violations. This information is available in the portal and as reports. Reports on user behavior can also be generated at any time at the push of a button.
Identity Governance Error #6: The Return of the Zombies
If an employee changes departments or leaves the company altogether, the associated user accounts are often not migrated or deleted. These account corpses run the risk of being resurrected as zombies. If an employee leaves the company, the IAM system should delete or deactivate access to information and applications as quickly as possible. This is the only way to prevent them from reactivating their account at a later date to illegally use the company’s infrastructure or even steal sensitive information. Zombie accounts are also welcome gateways for cyber criminals.
Another typical mistake can occur when authority is revoked: When employees take on a new function in the company, or they temporarily need extended rights in a project, they are given these but do not have the old ones revoked.
Identity Governance Error #7: The Attack of the Clone Wars
When a new employee joins a company, they often simply copy an existing user profile that roughly corresponds to their function and tasks in the company. The hope is that this approach will save time. However, this regularly gives new users more rights than they actually need. The remedy is an identity and access management system that automatically proposes to superiors the required user authorizations that correspond to a new employee’s area of responsibility. Based on this pre-selection, individual yet time-efficient decisions can be made and the appropriate user authorizations assigned.
Identity Governance – Conclusion & Outlook
Used correctly, identity governance is one of the most powerful tools for increasing IT security in companies. Companies are challenged to avoid the above-mentioned mistakes right from the start – or at least not to commit them in the future.