Published: 27 August 2010
This final blog of the series looks at why respondents to the IT Security Administrators Survey highlighted Identity and Access Management (IAM) as an area that would make their life easier.We’ll start by relating an interesting conversation we had recently with a well known Managed Service Provider (MSP) – they were managing the network of a large global company and one of their biggest headaches was managing administrator access to devices. They had just gone through a program updating privileged user rights across all devices when the client advised that they needed to revoke one user across a few hundred devices - it took them 9 hours and they were not happy about it.
If a global company and a leading MSP haven’t got their act together around privileged user IAM, then I’d imagine most organisations haven’t either.
Take the provisioning, revoking and changing of privileged user rights. Best practice would see all privileged users issued with a unique user ID from which they could access all their authorized devices using strong authentication. Access rights would be easily changed and a user’s ID could be quickly revoked across all devices.
Although organisations aim to achieve best practice, in reality they never achieve it because there are just too many hurdles to overcome. With an ever changing number of administrators, 3rd parties, auditors and others needing privileged user access, the real challenge for organisations is having enough resources, time and budget to manage these users. Many organisations just can’t meet this challenge and most end-up doing it so in-efficiently that it’s puts huge strain on existing resources and impacts operational budgets as well. Both cases lend weight to the benefits of IAM and how they make administrators lives easier.
Delving into another related area from the survey is the need for a Single Sign-On (SSO) solution. The story I started with goes some-way to explaining this. Organisations can have hundreds or even thousands of devices, so administrators without the benefits of SSO will have to login to each of their devices separately. This is a real headache for administrators and a security risk for the organisation, particularly if they are writing down access details or using the devices common admin password.
So why didn’t organisations deploy IAM solutions more readily in the past? There are of course many reasons, but cost has always been a big constraint as organisations tend to look at an IAM solution for the whole company rather than individual groups, such as privileged users.
Nowdays, though, there are a number of cost affordable IAM solutions just for privileged users, which utilize both Strong Authentication and SSO. Solutions that take just a few moments to set-up role-based privileged users can be provisioned or revoked across multiple devices in seconds. These solutions allow roles and access rights to be easily changed and the use of common admin passwords to be eliminated.
In deploying an IAM solution for privileged users an organisation is not only making their employees lives easier but they can also follow Best Practice principals. Perhaps the biggest benefit is strengthening the security processes around privileged user activities and ensuring that when a user is revoked, the accounts are automatically revoked across all devices. Plus with these solutions preventing the use of common admin passwords, any leavers no longer walk away with security access credentials, which also reduces operational risk considerably.