How to take charge of access management

Security is often made out to be much more complicated than it needs to be. Much of it boils down to a simple premise: making sure that only the right people have access to only the right data. 

Straying from this premise is where things can go wrong. If a user has access to data they don’t need, you could be in trouble. And if a non-user winds up with access to your data – well, that’s just a fancy way of saying you’re up a creek.

A recent study by SailPoint shows why identity and access management – the practice of regulating who has access to what on your systems – is such a big deal.

It found:

  • 53% of survey respondents said they had experienced a data breach, and
  • 52% had employees within the company access data they shouldn’t have been able to.
On top of that, only slightly more than half (54%) were “very confident” in their ability to grant or revoke employee access. 35% were somewhat confident and the remaining 11% indicated they weren’t sure of their ability to control access.

It’s not getting easier

As with most things, the cloud and BYOD have only compounded the threats to security. With so much data able to be accessed off-site, exercising control over that access has become more important than ever.

The survey found that an average of 39% of mission-critical applications are already in the cloud. By 2016, survey participants expected 59% to be there.

And while 82% of survey respondents said employees are allowed to use personal devices for work, only 41% remove critical data from those devices when workers leave.

Critical group

If nothing else, IT should work to ensure that outgoing employees have their privileges revoked ASAP.

While IAM tools are helpful for this task, it’s equally critical to have solid policies in place.

Make sure to:

  • Coordinate with other departments. Make sure HR and other managers keep you in the loop when employees are fired or leave the company. Especially in cases of firings, you’ll want to revoke credentials immediately.
  • Stay informed of role changes. If an employee moves mostly off-site, gets a new position or takes on a different role, their access needs might also change. Informing IT of these changes has to be part of a solid policy.
  • Conduct regular checks. Run regular reports to see who is accessing data. If requests are coming at strange times or mostly off-site, that’s something you’ll want to look into. It could be nothing, but it could also be an early warning of a breach.
  • Enforce password security strictly. If multiple users are sharing a password, nothing good can come of it. That ensures that users who leave the company will be able to access old accounts. The same goes for rotating passwords or using variations on the same one.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy