Doing some spring cleaning? Consider de-cluttering your IAM system.

Doing some spring cleaning? Consider de-cluttering your IAM system.

Spring is traditionally the time when we de-clutter.  Purging all of the stuff we just don’t need is spiritually satisfying, and it also serves as a reminder of what’s truly important to us.

The healthy feeling you get from spring cleaning can extend to the technology side of your business as well.  In the end, I.T. systems get cluttered just as much as our garages do.  The difference with technology is that clutter can be far more consequential.

One of the most common forms of program clutter comes in Identity and Access Management (IAM) systems.  These gatekeeper applications manage the access your employees have to different categories of information and applications, and are a critical piece of internally facing cybersecurity.  There are two main ways in which clutter can keep these systems from performing their primary function.

The first is the management of profiles.  Employees come and go, but in many companies their profiles last forever.  It’s an inertia problem:  when a new person comes on board, there’s a clear incentive to get a profile set up – everyone wants to get up and running as soon as possible.  When someone leaves, however, there’s no immediate incentive to shut the profile down.  Many companies don’t have a process to do so, and without someone banging on their door many I.T. departments can’t be bothered.

Yet these profiles clearly matter.  Granting access to your systems and data is inherently a trust-based relationship.  When that relationship is dissolved, it doesn’t make sense to keep the door to your information open.  Disillusioned (or merely curious) former employees have used their still-active profiles to wreak havoc on unsuspecting former employers.  Reducing the clutter of old profiles by disabling (or even simply deleting) them is an easy way to make your system more secure

Another kind of IAM detritus appears in the form of unquestioned active profiles.  Even your current employees tend to gain access to compartmented information systems over time.  As employees change roles within an organization, their profiles aren’t always altered accordingly.  Even more, people often require temporary access to certain systems when they’re covering for someone else or working on a specific project.  Even when this temporary need goes away, profiles tend to stay the same, granting access over a much longer period than was originally anticipated.

The instinct in many organizations is to grant this system access generously rather than on a “need to know” basis.  This makes sense on a basic level – employees can’t work on areas they don’t have access to.  Yet it can also result in sensitive data being a bit too accessible for its own good.

When left unquestioned, access profiles tend to metastasize over time, granting employees inroads to areas which management never intended.  This can even be true for I.T. staff themselves.  The Snowden incident is a prime example of an overly generous access profile gone wrong.

Getting rid of this kind of clutter requires more regular and deliberate action on the part of I.T. managers and company leadership.   It means sitting down on a regular basis to match the roles and responsibilities of employees with the systems they access on a regular basis.  Poring over usage data and profile information isn’t fun or simple (particularly in organizations with layered or interacting systems), but it can pay significant cybersecurity dividends later on.

It’s a discipline.  Cleaning up long-static IAM systems can be a significant chore, but when it becomes part of regular security reviews the process becomes much easier.  The occasional spring cleaning can also head off damaging cybersecurity incidents down the line, making it clearly worth the effort.

Does your IAM system need a tune-up? ECHO can help.