Unlike flocks where the group stays together while on their way to migrate South, groups inside companies are constantly changing. They pop up regularly for long and short-term projects, add or delete members on a regular basis and always have, hopefully, a sunset clause.
To set up manual rule based group management from an identity management perspective can be a time consuming nightmare for both the managers tasked with running them and the IT personnel who have to help assist them. While this is a critical requirement within any organization, it is a time consuming task that has historically been overlooked by most if not all access compliance software. Like so much of the movement in the identity and access management space, there is a need to put control into the hands of business users as long as any automated process follows a strong automated workflow.
Compounding this dilemma is one very striking fact revealed by the Ponemon Institute’s “2011 Annual Study: U.S. Cost of a Data Breach” report, released earlier this year. As Christopher Burgess posts over at CSO more than one-third of all data breaches — 39 percent — result from negligence or malfeasance of an employee or contractor. That stands as the single largest threat of any of those identified in the report by the Ponemon Institute and reminds organizations that the enemy within is more dangerous than the enemy outside.
What this says to me is that as much as we need firewalls and encryption on our repositories of data, we need to be even more diligent and cognizant of the threat posed by the people who access that data on a daily basis. Moreover, identity management and access certification diligence needs to start with the people who are directly responsible for the employees working with sensitive data — i.e., managers and supervisors. However, to take what has for decades been a technology or IT Department responsibility and effectively manage it at a point closer to the user would take an innovative approach to self-service group management and likely also requires some form of automatic group management.
Flocking to a Solution
Some might think that self‐service group management is idealistic thinking — perhaps even “flighty”. It can be done, though. In my wish list of components any self‐service group management solution should have, I would include at least the following:
- The ability to add groups without impeding IT. It should allow anyone in an organization to request membership to a group while workflow automation controls the changes.
- Be able to establish ownership. Certainly any self‐service group management solution worth its salt should be able to allow users to set primary and secondary owners while making business owners responsible for group renewals and management. Such audit controls effectively limit risk from identity management, access certification, and governance flaws.
- Control group creation. Let’s eliminate mistakes before they are made by preventing group requests from users in the wrong department or location by leveraging attribute‐based permissions using rule based group management.
- Preventing groups with similar names or group memberships from being created. I hate that. It’s not only confusing but avoids redundant group membership and enforces reasonable naming conventions that should be part of any self‐service group provisioning solution.
- Modifying group by requesting membership changes required by new members, departing members, new owners or—if everyone just hates it—requesting a new name for the group or description.
- A great wizard. I don’t want to spend time trying to figure out how to use it properly.
- It should auto delete groups when they have finally achieved their purpose. I am sure Dilbert would agree with me on this one. But give the group owner a heads up before erasing the group in case a bit more time is needed.
- Allow the business owner full control over their group management software by enabling them to request the deletion of a group from their network and applications. Is that too much to ask?
So there you have it. My eight point wish list for reasonable, automated self‐service group management software. In the end it would make life a lot easier for the managers who have to handle the dynamics of the dozens of groups they create, inherit, or wish they could disband. Done properly, it helps mitigate security threats from within — the biggest threat to any enterprise — and keeps your data from flying out the window.
For more on self‐service group management, check out Avatier Group Requester and view the Avatier Group Requester Product Introduction video.
Begin your identity management initiative by following what corporate compliance experts recommend for the workflow automation of businesses processes, self-service administration and IT operations.