Paweł Łąka

Project Director

The risks of not having an Identity and Access Management system

IAM

A strong Identity and Access Management system (IAM) is particularly important for large companies. It provides the means for close control of user access, which reduces the risk of external and internal data security breaches.

Even so, some companies are hesitant to implement a centralized IAM. What risks do such companies run?

Problematic data security and difficult audits

Without a central identity management system, data control issues are a very real possibility. System architects usually design applications with high levels of security. Additionally, with no central identity management system, project teams have to add these functionalities to the newly created systems. When developing or implementing new applications, project schedules and costs tend to be tight; thus, the team focuses on the functionalities needed to meet their core business goals. Security is often “left until later” or relegated to second place in the rush to get things done. The more data sources there are, the higher the risk involved in their secure storage and maintenance.

And the risks don’t evaporate once the application is working. Strictly controlling user access in a multi-system environment is notoriously difficult. When role, group, and authorization levels are independently implemented in various systems, efficient data verification and control becomes virtually impossible. In such a situation, teams tasked with data security and protection have no way to promptly verify all applications and systems. Meanwhile, the developers and administrators of these systems, lacking a clearly defined process, may grant access to confidential information to people who have no right to it.

The above situation makes data security audits exceptionally difficult. Access verification for a single user may require the analysis of multiple systems, their internal implementation, and their integration with databases.

 

Too much data access

According to a 2018 study by Cybersecurity Insiders, 90% of organizations feel exposed to internal attacks. Another survey found that 75% of security incidents result from internal risks.

The most significant and frequent cause of security issues is excessive employee access – giving employees authorization to too much data and too many applications. How does this happen? Well, if there are no clear role definitions, if there are inaccurate identity classifications, or if users are receiving access to all data in applications, problems will arise.

Therefore – and despite investments in systems protecting corporate networks against external attacks – we can still see numerous serious breaches and data leaks. Unfortunately, even specific job contracts or employee training courses are not enough to fix the problem. Companies must have firm control over employee access, both internal and external, to mitigate the threat of serious security incidents and data leaks.

Inefficient identity lifecycle management

The identity lifecycle is another area that greatly benefits from IAM.

In any organization, change is a constant. New employees are hired, current employees leave or change positions within the company, job roles are altered... Change is ongoing and every time it requires granting and shutting down authorisation. If we are not using centralized IT tools to manage this lifecycle, handling all the relevant processes takes much more time. No automatic data synchronization means continuous analysis and verification – as well as manually adding, deleting, and modifying authorizations.

In large corporations with many procedures but no IAM system, new employees may wait weeks before receiving access to the applications they need. Not infrequently these applications will be the tools needed to perform daily duties. This is usually because any new person has to be granted authorization in each application separately, pursuant to separate approval procedures. This wastes time for system administrators, service desk teams, and the employees themselves.

A comparable problem occurs when removing access authorization, e.g. when an employee leaves the company. For obvious reasons the interested person is no longer attending to the problem, as a result access authorizations remain active for some time – a flagrant violation of security regulations! This risk should not be ignored: it’s not uncommon for things to get a bit rough after an employee leaves, and having no clear record of all the authorizations granted to that employee makes shutting them out of the system even more troublesome.

SSOs become SPOFs

Very often, identity management is implemented as a single monolithic SSO system. But having one SSO system responsible for so many vital functionalities naturally turns that SSO into a Single Point of Failure (SPOF). This is more difficult to restore when a breakdown occurs.

Incorrect allocation of identity to application, no clear role definitions or inaccurate classification of identities all result in users receiving access to the data pools which are either to small or too large. This may disrupt user's work and as a consequence freeze business. If no clear roles are defined, administrators often have two choices: to grant excessive access or refuse it altogether. Neither is ideal. A separate, centralized IAM system allows administrators to manage access to resources in a more efficient way.

Additionally, SSO systems can be tasked with communicating with customer applications and maintaining sessions. This can be better managed by the IAM system, which will ensure proper access management for employees and customers.

More work for the help desk

Expired or forgotten password? Frozen user account? These scenarios keep the IT support desk continuously busy. A central system that manages static passwords could actually enable users to care for these problems themselves, without involving the IT support team. These systems allow administrators to automate such common and time-consuming tasks, which saves money. Any lack of adequate password management requires more manual work on the part of the IT department.

Taking risks in security doesn’t pay

Fewer companies are opting for big monolithic systems with multiple functionalities. Instead, it’s a common trend to build applications that provide specific capabilities. At the same time, management is becoming very well aware of the fact that running unnecessary security risks does not pay – particularly when access to sensitive data is in question.

For these reasons, a number of organizations have decided to implement IAM systems. As security regulations tighten and controlling access to data becomes ever more critical, take stock of your own organization’s security measures. Are they enabling your business to perform at its peak, or are they slowing you down with operational inefficiencies? Is your information securely and properly restricted, or is there a great deal of user access to it? If that is the case, I encourage you to learn more about Identity and Access Management systems.