So many risks can be reduced by cleaning up user accounts and keeping them that way. Just think if, for any system your auditors looked at, you could instantly reconcile each and every account by showing its legitimate business purpose and ownership in terms of the
- account existing in the first place
- privileges the account is assigned
- account's current status
- timeliness of relevant business events in relation to actual changes to the account
That isn't just good for compliance – that helps reduce all kinds of security risks.
So why is that so hard? And I know it is difficult because of what I see in my audit practice.
Consider this: A healthy organization today is anything but static. Growing enterprises are always hiring new talent, enabling employees to pursue new opportunities within the organization, and seeing some employees leave the organization. They often make use of contractors and other temporary resources who come and go. Moreover, the organization’s employee base can change radically due to mergers and acquisitions.
Such changes can keep organizations vibrant and successful, but they also often introduce risk. Over time, the changes pile up and the enterprise may discover it can no longer be sure that users have access to only the resources they need to do their jobs or even that accounts are deleted promptly when a user leaves the organization. The organization recognizes that it is at risk of security breaches and compliance violations. But cleaning up the existing identity store — and keeping it cleaned up — can seem like insurmountable tasks.
Plus in real life there are necessarily a lot of accounts that don't correspond to individual persons: shared accounts, system and application accounts, and support and security accounts.
Normally I base my real-training for free webinars on showing you methods and processes and how to leverage your existing technology to solve problems. And in this webinar I will
- show you key ways to link accounts in different systems with its corresponding employee, contractor or other organization structure
- share tips on cleaning up user accounts
- trap important business events that should trigger changes to accounts
While manual cleanup is possible for some organizations, automation is advisable if any of the following conditions exist:
- more than 1,000 users
- no reliable master structure for administration of unique IDs
- HR systems in principle could suffices I've found using the HR system to assign IDs is problematic. Actually employees are sometimes using company systems for weeks before being entered into HR systems just in time for payroll processing. There are many people that aren't employees at all but still need accounts.
- organization structures have grown over time
- lack of documentation
- uncompleted migration projects that have left behind old, unmaintained systems
- mergers and acquisitions
- multiple HR and ERP systems
- multiple directory services
- data models are too different between different instances of even the same system
These and other factors require automation and I'm going to show you how a good identity management solution can
- automate the account cleanup process
- map the organizational complexity between all systems under management
- ensure each person has a unique ID that is valid organization-wide
- ensure each account on each IT system is assigned a unique ID
- ensure assignment of employees to organizational structures and functional units is unique and consistent
With help from George Cerbone, Principal Solutions Architect from Dell, I'll be using Dell One Identify Manager to demonstrate how organizations requiring automation can solve this problem.
Please register now for this real training for free ™ event. My goal to show what it takes for your organization to clean up your existing user accounts quickly and maintain them efficiently and transparently. This will not only reduce your security risk, but also provide a trustworthy foundation for future initiatives such as single sign-on (SSO) or federation.