Five signs of identity and access management trouble

Identity and access management have always been important to a CISO’s strategy, but unfortunately not enough are paying attention to the details judging by the number of breach reports citing theft of credentials as a key element of the attack.

In a column today Andy Taylor, a senior IBM managing security consultant, offers five clues that tip off  ill-conceived or overly complex access governance processes can give too much access to the wrong people with too little oversight:

–Orphaned accounts

Do you know who uses or owns all user accounts in your organization? Are there any active accounts for people who have left? When was the last time your staff checked? If the answer is not in a while, that’s a warning sign. Taylor offers another: Neither the account naming convention nor the metadata gives any indication of account owners, yet the accounts can still be used to access sensitive resources.

–Poorly defined certification processes

IAM certification process appears too frequently with little warning or notification, Taylor says. “Notice is often sent to the incorrect reviewer and contains confusing entitlements only the IT guru understands.”.  A poorly defined review processes means user identities and access to valuable resources aren’t secured, leading to risks, he points out.

–Inadequate access request approvals

You may have a good access approval process, but some people may be wrong for giving approvals. Taylor gives as an example persons who have no organizational relationship with the users, or individuals who know little about the business function or access. What’s particularly dangerous is privileged access only being approved by line managers who may not understand security requirements or policies. The result can be segregation-of-duty (SOD) breaches.

–Lack of segregation of duty controls

Some functions have to be segregated to limit the risk of fraudulent behavior — for example people who submit invoices shouldn’t be approving payment for their own spending. But, Taylor says, companies can have difficulty articulating SOD controls because of a lack of knowledge about their applications and their usage across business functions. “These process checks are often run manually and are ad hoc in timing — in most cases a long time after the access has been granted and occasionally in reaction to an incident or breach,” he writes.

–Independent processes across the organization

Having a range of different divisions, perhaps due to acquisitions and mergers or geographic separation can lead to organizations having different identity and access management processes and teams. Not only is this costly and inefficient, it’s risky.

This is an era offering a wide range of multifactor authentication technologies to make access to data more secure. But if infosec pros aren’t managing the process of enrolment and certification better all those tools won’t help.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now