Identity Access Management for Large Businesses
- Identity Access Management for Large Businesses
- What Is Identity Access Management And How Is It Done Today?
- Seven Questions to Ask Before You Can Automate Identity Access Management
- How to Automate Identity Access Management
- Identity Access Management Software for the Casino and Gaming Industry
Automating Account Creation is critical to achieving compliance, increasing security, reducing cost, and improving efficiency.
Large Businesses are significantly dependent on information technology to manage their operations and diverse set of complicated but critical applications. Buried within the information technology annual cost exists a completely obscured, but extremely large, perpetual expense for managing and tracking identities and access across all of these applications lingers year in and year out. This cost can account for 30-60% of your entire Help Desk budget and can be almost completely eliminated if correctly rolled out automated identity access management software is deployed and maintained.
Today’s manual administration is soon to become extinct because smart businesses realize that to remain competitive they need to eliminate this costly, error prone, and time-consuming manual process. Automated account creation and management, also called identity access management, is a core business requirement for any organization to remain competitive in today’s economy. Properly funded, staffed, and deployed identity access management software implements the required business controls while perpetually reducing administration costs, increasing security, accelerating user productivity and streamlining compliance auditing.
Virtually all regulations and operating standards, whether established by a gaming commission, the SEC, or just industry best practices, have as a core element controlling “who has access to what” and the process by which that access is “authorized”. Identity management solutions combine these user provisioning controls with audit friendly reporting and automation to reduce the cost of the provisioning process and shorten the time it takes to get new employees up and running.
Fortunately, the ROI justification is very straightforward as it is easy to quantify the hard dollars being spent on existing provisioning processes – including systems, software, direct labor and services. Some identity access management activities, such as self-service password management, can provide a payback in just a few months. A full blown rollout including user provisioning, deprovisioning, approval workflow, compliance reporting, etc. can pay for itself in just a few short years.
What Is Identity Access Management And How Is It Done Today?
At some level, every organization performs either manual or automated identity access management. Specifically, identity access management is the act of managing the adds/moves/changes through the life-cycle of an employee, contractor, or vendor. In a typical heterogeneous IT environment that requires managing the user logon accounts, passwords, and to a wide variety of platforms like Microsoft Active Directory, Exchange, IBM AS/400, databases and . Typical tasks include: account creation; termination; performing daily account management such as promotions, demotions and leaves of absence; defining menu access; and maintaining account attributes like cell phone number or title.
My personal belief is identity access management also encompasses management of, and I use this term loosely, “assets” – meaning anything physical like, laptops, pdas, cell phones, keys, uniforms, badges, and even business cards, etc. Some provisioning vendors incorporate asset provisioning while others recommend third party solutions.
The traditional identity access management process begins with a form generated by HR indicating a new hire, transfer or termination. It might be on paper but it is now more common to use passed by email. Unless the firm has a repository of all the privileges required for each user’s job (commonly called roles), the hiring manager will have to specify the requested access and then forward the paperwork through the approval chain. Once all approvals are obtained, the document is forwarded to the IT service desk where instructions are passed to each system or application administrator to create the necessary accounts and assign access privileges. The results are then stored in a database or spreadsheet for generating management or audit reports (manually or with custom report templates).
With all of those discrete manual, it’s not hard to see why such processes often take days or even weeks to assign all required access and require handling by a dozen or more people – driving up costs and making very difficult. Perhaps worse, it’s also common for accounts to be missed during the termination process – potentially exposing to disgruntled former employees and generating virtually guaranteed deficiencies in the next audit. To compensate, many organizations developed their own semi-automated processes (automating a few steps but still requiring extensive staff intervention) or purchased first generation commercial solutions that required a lot of customization, but the cost of implementing and maintaining them is exorbitant.
7 Questions to Ask Before You Can Automate Identity Access Management
Buried within the information technology annual cost exists a completely obscured, but extremely large, perpetual expense for managing and tracking identities and access across all of these applications, which lingers year in and year out. This cost can account for 30-60% of your entire Help Desk budget and can be almost completely eliminated if correctly rolled out automated identity access management software is deployed and maintained.
Today’s manual administration is soon to become extinct because smart businesses realize that to remain competitive they need to eliminate this costly, error prone, and time-consuming manual process. Automated account creation and management, also called Identity Access Management, is a core business requirement for any organization to remain competitive in today’s economy. Properly funded, staffed, and deployed Identity Access Management software implements the required business controls while perpetually reducing administration costs, increasing security, accelerating user productivity and streamlining compliance auditing.
Here are 7 questions to help you decide whether your company is ready to automate Identity Access Management:
- Have you identified an Executive Sponsor for this project?
- Have you identified the scope of internal/external applications and assets to be included in this project?
- Do you have a dedicated identity access management technical lead or centralized team?
- Do you use a common user account name across systems and can you resolve them across systems?
- Do you have defined naming conventions for user accounts and duplicate user accounts across all systems?
- Do you have a primary LDAP directory store for all user account identities (employees, contractors, and vendors)?
- Are there any regulatory/compliance factors which are driving the need for Identity Access Management?
How to Automate Identity Access Management
Identity Access Management Software automates operations and provides detailed audit logs and reports over the following:
- Who did what to whom
- Who has access to what and how did they get it
- What accounts have not been accessed recently
What are the benefits of automated identity access management?
Business drivers for automated identity access management include: cost savings, enhanced operational efficiency, risk management and compliance with internal and external regulatory requirements.
Cost savings – IT departments spend a major portion of their budget addressing identity access management issues. Studies from major analyst firms indicate that password reset calls alone account for 30% to 50% of help desk inquiries. At $10 to $30 per call enabling users to solve their own problem via self-service password reset can pay for itself in well under 12 months. Similarly, replacing a manual provisioning system that utilizes costly and scarce administrator resources to create and manage accounts will generate immediate savings.
Operational Efficiency – Many manual provisioning systems can take a week or more to complete all of the necessary approval and administrative steps for on-boarding a new hire and a similar amount of time to complete a promotion, transfer, leave of absence or termination. These delays reduce productivity and negatively impact user satisfaction.
Risk Management – Unauthorized access to critical casino and customer data presents major financial security, legal and public relations exposure. Identity management enforces access based on organizational policies and provides the reporting and auditing tools required to assess risk.
Compliance – All gaming operations, whether governed by state gaming regulations, the National Indian Gaming Commission or just sound business practices, must have strict controls on user access. Whether it’s providing an audit trail that illustrates what rights were granted to an employee and who approved them, or ensuring that terminated employees have all of their rights removed or disabled within a predetermined time period, effective identity access management provides the control and transparency to meet organizational requirements. These may also include separation of duties (SoD) enforcement which ensures that potentially dangerous combinations of rights – the classic example being the ability to both authorize and disburse payments – are not issued to a single employee.
Identity Access Management Software for the Casino and Gaming Industry
Whether implemented under the auspices of a state gaming commission, the National Indian Gaming Commission, the Securities and Exchange Commission, business councils (e.g. PCI for payment card processing) or just sound management practices, all gaming sites must comply with a complex maze of standards and regulations. Since gaming is both labor and IT-intensive, a pre-requisite for compliance with these standards is the implementation of strong controls on user identities – specifying and enforcing each user’s access to IT applications and resources.
An identity access management system for gaming and hospitality should affirmatively answer and prove compliance with the following common audit questions:
- Is access to privileged computing resource, such as financial systems, privacy-protected data, etc., limited to those that require it to perform their jobs (i.e. on a “need to know” basis)?
- Is an approval system in place to assure that access is granted per external or internal regulations and policies?
- Are separation of duties (SoD) standards enforced – providing checks and balances by ensuring that an individual cannot perform all the tasks of a sensitive business process (e.g. approving invoices and issuing payment)?
- Is access revoked on a timely basis when it is no longer required due to termination or change in duties?
- Are procedures in place to strengthen and safeguard user credentials (e.g. User IDs/passwords) so they are not compromised?
- Do audit reports clearly document compliance with the requirements ab
Automated identity access management systems not only ensure that the answer to each question is “yes”, but also reduce costs while increasing IT and user productivity.
The Compliance Management Regulatory Gap
Essential identity access management processes include user on-boarding and access customization (AKA provisioning), off-boarding (deprovisioning), password policy enforcement and password reset. Traditionally these were semi-automated processes involving electronic forms and email – requiring extensive handling by administrators and managers that often leads to delays and errors. For example, on-boarding a new employee might involve the following major steps:
- An authorization form generated by Human Resources is sent to the new employee’s manager.
- The manager will specify which applications and resources are required to perform the employee’s tasks.
- Based on corporate policy and the level of access required the form will be sent to senior management for approval. 4. Once all approvals are obtained the form is sent to the administrator for each system to create the required accounts.
Sounds simple enough, but it requires a user provisioning process administrator to manage the workflow (e.g identifying the required approvers and administrators and routing the form), track status, capture the results in a spreadsheet, generate reports, etc. Successful completion is dependent on the responsiveness of several managers and a number of system administrators – who may be on vacation or too busy to attend to the request promptly. As a result such processes are costly, slow (often taking weeks to obtain all required access) and error prone. Deprovisioning is nearly as difficult as the administrator must manually look up the employee’s access and notify the relevant system administrators to suspend or delete each account.
It’s little wonder that such systems often fail an auditor’s first and simplest test – checking to see if recently departed employees still have active accounts. These “orphan accounts” represent potential audit deficiencies in more than 50% of surveyed firms. “Privilege creep”, in which long-time users move from assignment to assignment acquiring new access rights without having prior rights revoked, is also common. This makes documenting compliance with more complex requirements, such as SoD, virtually impossible. Assembling the data to even respond to such queries can become a nearly full-time job during the audit cycle.
Similarly, auditors will look for the use of stronger passwords, such as greater length and complexity (e.g. requiring upper and lower case, alpha and numeric, etc.), more frequent changes, and limitations on re-use. Theoretically, this improves security as it makes passwords harder to compromise, but with typical users having anywhere from 2 to 8 passwords the inevitable result is that users will maintain a record of all their passwords – taped to the bottom of the keyboard is a common security flaw – or the help desk will be inundated with password reset calls. The former will lead to an audit deficiency regarding password policy enforcement and education standards while the later will send help desk costs skyrocketing.
Answering the Compliance Management Call
Fortunately, modern identity access management systems automate the entire user identity lifecycle – enforcing regulatory standards and accelerating all identity access management operations. They can also implement advanced identity access management concepts like role-based provisioning and automatic detection of SoD violations. End-users can even utilize self-service to perform such basic functions as resetting passwords and submitting access requests. Best of all, these “next generation” systems can be deployed more rapidly and with far fewer internal or consulting resources than older, first generation identity access management tools that required extensive programming.
Key requirements include:
Advanced architecture: It should be based on the latest standards, such as web services, that can interface with virtually any application or directory to automatically create accounts, update passwords, modify access rights, etc. Check to ensure that critical gaming and hospitality applications are supported out of the box or can be implemented without an extended programming effort.
Role-based and privilege-based access control: The system should provide the flexibility to establish groups of privileges as a role (e.g. Payroll Processing Clerk) for simple, uniform assignment of access rights based on an employee’s job functions. Since employees with the same title and job location may require slightly different or customized access, the system should also provide request and approval processes for additional privileges.
Automatically-generated and managed workflow: Based on the identity of the requester and the resource(s) being requested, the system should be able to define and execute the required approval process without complex programming or administrator intervention. It should also identify missing approvals and send reminders or escalate to a higher level manager to ensure timely processing of the request.
Human Resources integration: As HR is the corporate source for adds/deletes/changes, on-boarding, off-boarding, transfers and promotions can be triggered by changes in the HRIS database.
Point-and-click graphical user interfaces: Users can generate requests via self-service interfaces and managers can issue approvals, modify roles and perform other typical administrative functions without IT intervention.
Comprehensive audit logging and reporting: All transactions should be captured in logs and the system should offer pre-defined reports, including SoD, as well as a report generator to create customized and on-demand audit reports.
These technologies streamline the identity access management processes – enabling “day one” on-boarding of new employees and customization of employee access while providing the controls necessary to meet compliance guidelines. Instead of an administrator forwarding and monitoring provisioning requests, the automated system can detect the “new hire” authorization in the HR database and automatically establish accounts based on the user’s role. If additional access is required, the manager or employee can issue the request with the system handling the approval routing, account creation and logging. Off-boarding is a mirror image of the on-boarding process – with the termination event in the HR system automatically triggering suspension or deletion of the user’s accounts. Even password policy enforcement can be strengthened because users simply reset forgotten or expired passwords by answering a few security questions from a self-service screen.
Perhaps most important, with automated identity access management you’ll be able to show your auditors well-defined, repeatable processes and respond to their documentation requests rapidly and accurately. It’s doubtful that you’ll ever look forward to an identity access management audit, but you will be able to approach it with confidence about the results.