By visiting our site, you agree to our privacy policy regarding cookies and tracking statistics.

IT District
  • Solutions
    • Privileged Access Management
    • Identity & Access Management
  • Expertise
    • Privileged Access Management
    • Identity & Access Management
    • Customer Identity & Access Management
    • Identity & Access Governance
    • Active Directory Consulting
    • Public Key Infrastructure
  • Services
    • Privileged Access Management
      • Consulting
      • Training
      • 24×7 Support
    • Identity & Access Management
      • Consulting
      • Training
      • 24×7 Support
    • Interim CISO
  • IT District
    • Partner
      • CyberArk
      • Micro Focus
    • Jobs
  • Blog
  • Contact
  • Menu Menu
Blog - IT District GmbH

Identity Governance: Seven typical pitfalls that companies should avoid

Identity and Access Management solutions have been developed due to the increasing complexity of IT environments and constantly rising requirements for the allocation and control of user authorizations. Identity and Access Management systems focus on the company-wide administration of users and their rights. Due to the ever-increasing threat situation and the associated stricter regulations, simple Identity and Access Management solutions are no longer sufficient in many cases.

Auditors and accountants demand a comprehensible insight into the allocation of user authorizations. This is where modern Identity Solutions come into place.

Identity governance is designed to prove that users have the appropriate rights based on the organization’s policies. This makes it clear that regular checks are mandatory in order to comply with compliance requirements and security guidelines.

Identity governance – avoid these seven typical pitfalls

Many companies that start an identity governance project don’t know at first in which direction they should go. If, as a consultant, you ask which specific compliance requirements are to be adhered to and checked, the answer is often silence.

As a result, the problem is not clearly defined due to a lack of requirements management. The motivation of the project is not asked, expectations are not aligned, the project goes wrong and the goals are not achieved.

If an identity governance project is started to check compliance and IT security requirements, the disappointment of the company is high, and it needs someone to blame: What was done wrong when and where, or even forgotten? Experience shows: Lack of communication often results in these seven typical mistakes that cause many identity governance projects to fail.

Smart IT Security Solutions - IT District GmbH

1.

Identity Governance Mistake #1: Too much focus on technology

More important than the technology are the individual requirements of the company. What problem and what potential vulnerabilities should an identity governance solution uncover? The focus should be on the customer’s requirements and their compliance requirements. Only then should the focus be on the possible identity governance products and the required budget. The return on investment (ROI) in identity governance is measured by the detection and systematic elimination of vulnerabilities, and in a sustainably reduced risk.

Smart IT Security Solutions - IT District GmbH

2.

Identity Governance Mistake #2: Lack of internal responsibilities and accountabilities

Many companies leave the responsibility entirely in the hands of the service provider. This is a mistake, because identity governance is not a purely technological issue. Rather, it is a process that involves two parties who should work together as partners.

A good IT security service provider keeps the business an integral part of the project at all times: in the form of a project manager and a mixed team with people who understand both the technical perspective and the business requirements and needs. At all times, companies must be able to understand the project, know the boundaries, and learn to read and understand the results of the identity governance system. Regular monitoring of the progress of the project – measured against the implementation concept – is as much a part of successful implementation as the work of the service provider.

Smart IT Security Solutions - IT District GmbH

3.

Identity Governance Mistake #3: No project without an implementation concept

The most frequent and most serious mistake: companies forget to turn a technical concept into an implementation concept. The functional concept consists of requirements and functional specifications and is created by the respective departments: Based on the company’s performance requirements for the service provider (requirements specification), specifications for technical implementation are created by the contractor (functional specification).

A technical concept describes the big picture, while an implementation concept goes into detail: What is the underlying process behind the individual components of a project? What is the status quo at the time the consultant enters the project? What data is to be processed? How will analyses and reports be tested when they are ready?

Every process, every attribute in the identity and access management system that needs to be changed is recorded in writing in the implementation concept and integrated into a fixed time schedule. A simple example: Within a process, the permission of an approver is to be required in the future. The business concept specifies that the approver is to be informed by e-mail. However, this specification alone is not sufficient.

Many stumbling blocks lurk here that companies could fall over during the approval process. What exactly does the e-mail to the approver say? Who is the sender? Does the email need to be digitally signed? All these details are specified in advance in an implementation concept and thus leave no room for surprises during acceptance.

Identity Access Governance - IT District GmbH

4.

Identity governance mistake #4: Identity governance is not an objective in itself

Many companies invest in an identity governance system without conducting a performance review. If you want to know or have to prove whether identity governance is worthwhile, you have to compare the total costs with the actual reduction in risks. But how can risk reduction be measured and evaluated? What are suitable KPIs?

One metric can be the percentage of accesses and user rights that have been deactivated or deleted thanks to identity governance. It is true that this metric is influenced by various factors and fluctuates: when a company hires new employees, restructures divisions or even fires employees. However, if any fluctuations are taken into account, reliable and meaningful statements can be made. These can be used to realistically measure the ROI of identity governance.

Smart IT Security Solutions - IT District GmbH

5.

Identity Governance Mistake #5: Close Your Eyes and Walk Away

Controlling compliance with access policies is usually time-consuming and costly – but unavoidable. Even optimally configured access authorizations cannot 100% prevent an administrator or user from doing something unauthorized. In addition to regular audits, identity governance must therefore always keep a watchful eye.

Our identity governance solutions permanently monitor compliance and automatically report rule violations. This information is available in the portal and as reports. Reports on user behavior can also be generated at any time at the push of a button.

Smart IT Security Solutions - IT District GmbH

6.

Identity Governance Error #6: The Return of the Zombies

If an employee changes departments or leaves the company altogether, the associated user accounts are often not migrated or deleted. These account corpses run the risk of being resurrected as zombies. If an employee leaves the company, the IAM system should delete or deactivate access to information and applications as quickly as possible. This is the only way to prevent them from reactivating their account at a later date to illegally use the company’s infrastructure or even steal sensitive information. Zombie accounts are also welcome gateways for cyber criminals.

Another typical mistake can occur when authority is revoked: When employees take on a new function in the company, or they temporarily need extended rights in a project, they are given these but do not have the old ones revoked.

Smart IT Security Solutions - IT District GmbH

7.

Identity Governance Error #7: The Attack of the Clone Wars

When a new employee joins a company, they often simply copy an existing user profile that roughly corresponds to their function and tasks in the company. The hope is that this approach will save time. However, this regularly gives new users more rights than they actually need. The remedy is an identity and access management system that automatically proposes to superiors the required user authorizations that correspond to a new employee’s area of responsibility. Based on this pre-selection, individual yet time-efficient decisions can be made and the appropriate user authorizations assigned.

Smart IT Security Solutions - IT District GmbH

Identity Governance – Conclusion & Outlook

Used correctly, identity governance is one of the most powerful tools for increasing IT security in companies. Companies are challenged to avoid the above-mentioned mistakes right from the start – or at least not to commit them in the future.

Utilize our expertise from numerous projects and secure your business!

Smart IT Security Solutions - IT District GmbH

Our Identity and Access Management Services

Consulting

Our profound know-how form the basis of our comprehensive portfolio of Consulting Services.

Learn more

Training

We are happy to pass on our know-how to our customers and offer customized Training Services.

Learn more

24/7 Support

Our 24/7 Support Services ensure that our specialists are always available to our customers.

Learn more

Contact IT District

Solutions

  • Privileged Access Management
  • Identity & Access Management

Expertise

  • Privileged Access Management
  • Identity & Access Management
  • Customer Identity & Access Management
  • Identity & Access Governance
  • Active Directory Consulting
  • Public Key Infrastructure

PAM Services

  • Consulting
  • Training
  • 24×7 Support

IAM Services

  • Consulting
  • Training
  • 24×7 Support

Interim CISO

  • Interim CISO

Solutions

  • Privileged Access Management
  • Identity & Access Management

Interim CISO

  • Interim CISO

Expertise

  • Privileged Access Management
  • Identity & Access Management
  • Customer Identity & Access Management
  • Identity & Access Governance
  • Active Directory Consulting
  • Public Key Infrastructure

PAM Services

  • Consulting
  • Training
  • 24×7 Support

IAM Services

  • Consulting
  • Training
  • 24×7 Support
IT District - Smart Solutions for IT Security

© IT District AG

Impress | AGB | Privacy Policy | Pictures

  • summ-it
Scroll to top