Friday, August 23, 2013

The Cost of Not Disabling, Deleting, or Deprovisioning User Accounts

We are all aware of the potential security risks organizations face when they don’t properly disable or delete network accounts when users leave an organization. If former users still have access to customer data and sensitive internal systems, then there is great potential for them to wreak havoc on the file systems.

Most businesses attempt to take immediate steps to prevent this type of action when an employee is terminated or leaves of their own volition, but some do not. However, even if security is not an issue or if there is no concern, there is one very important issue that is often overlooked: the costs associated with not disabling accounts, licensed applications, and cloud-based solutions.

Costs to Company

Take, for instance, Office 365, the increasingly popular solution from Microsoft for hosted email and the Office productivity suite. Costs typically range from $4-$20 per user per month for business clients. Another example is Salesforce.com, another popular web-based CRM application, which ranges from $65-$250 per user per month. Still other applications, such as Sales Genie or Hoovers, have costs associated with downloading a record or creating an email address. All of this adds up to huge expenses for companies.

Next, if we take a look at a company with 1,000 employees (you can scale this example to your own business size) and assume an annual turnover rate of 10%, 100 employees leave on an annual basis. If that company has one cloud-based application averaging $30 per user per month and it takes three months to process all the terminated employees out of all systems, the cost to the company is $9,000.

Obviously, the more subscription-based applications, the longer it can take to deactivate accounts. The more employees and the higher the turnover rate, the greater the potential costs to the subscribing company. This can lead to a great amount of money lost over time. Over three years, this adds up to about $27,000, money that could have surely been used to help in other areas of the company.

In a 2010 study conducted by IDC, results showed that between 25% and 75% of licenses for enterprise applications are either unused or underused. A huge part of this is most likely due to employees who are no longer with the company but still have an active account.

Security

Now, if the application in question has a cost associated with downloading records, the costs to an organization can be tremendous. A recent conversation with a sales manager brought this point into focus, stating that a recently terminated sales rep did not have his access to a lead-generation database revoked until nearly six months following termination. In that time, the one former employee was able to download nearly 15,000 records at a total cost of $7,500 to the company. In any organization with a high sales turnover, this cost can be astronomical.

Another area where licensing costs can come into play is with network-based applications that are licensed on a per-user basis. Very often, applications like Visio, Photoshop, and others are licensed for a large number of users and access rights to these applications are based on group memberships in an active directory. In a similar vein to cloud-based solutions, if a user is not removed from a group that allows access to one of these applications, it is possible that the company could run out of licenses and need to buy more.

This also is true when a current employee is transferred to a new role. As an example, a graphics designer accessing Photoshop is transferred to a managerial role. When the transfer occurs, the rights to the application remain intact because of a lack of communication between the human resources department and the IT group. The manager no longer needs access to Photoshop, but when a new designer is hired, a new license must be purchased.

Solution

In the above cases, proper controls via an automated identity management solution can easily solve these issues by revoking access rights for all employees within an organization, freeing up licenses and minimizing additional and unnecessary expenses. Many solutions are now commercially available to automate the life-cycle of user accounts by linking a human resource application to Active Directory, as well as handling the proper creation and deletion of accounts in network and cloud-based applications. This allows a manager or IT employee in charge of accounts, to easily remove an employee and revoke all access to each system and application with one click. Instead of employee’s accounts being left active, once they leave they will be easily removed, improving security and reducing costs for the organization.

With an automated identity management solution, there is no need to have a dedicated staff to handle accounts. A manager in charge or help desk employee can easily handle the changes, which is why it is beneficial to even small businesses with a limited staff.


For more information, please visit our website.

Friday, August 16, 2013

Using Identity and Access Management Software for Audits

Regulation such as HIPAA, Basel II and Sarbanes-Oxley continues to overwhelm every business sector as organizations are continuously evaluated for their compliance with various standards, legislations and regulations. These evaluations, or audits, will sooner or later affect nearly every organization.

However, it’s not just top line executives that are affected by audits. In fact, ever more increasingly, IT departments are being brought into the audit response process, which means IT managers faced with an audit must be able to demonstrate full control of the data in which they manage.

Simply put, this means:

• IT departments must be able to demonstrate at any time who has access to what systems in the network, and when network actions have been performed (authorizations and reporting). For instance, IT manager should be able to indicate which employees are allowed to approve and pay invoices and who has reset employee X’s password and when.

• IT departments must implement a strong password policy.

Identity and access management (IAM) solutions provide IT administrators with support for legislative and regulatory compliance and are able to help them manage any audits such that:

Who Can Do What in a System?


Role-based access control (RBAC) is a technique for setting up authorization management in an organization and for providing insight into the questions of “who is allowed to do what in the network” and especially “who is not allowed to do so.” With RBAC, authorizations are not assigned to individual staff members but to RBAC roles, which in turn comprise the employee’s department, title, location and cost center. RBAC reduces the chance of error because network actions and changes can only be performed by people who are authorized to do so, based on their role or title.

Many organizations already use RBAC to a greater or lesser extent for: discovery, project implementation and population management. With the right solutions, organizations are able to reduce the hugely labor-intensive, complex and costly process with smart software that makes it possible to automate the majority of the population in an RBAC authorization matrix.

Using an RBAC system, the so-called organizational roles (the way in which employees are figured in the human resources database system, particularly in terms of title, department and cost center) are matched against the technical roles such as applications and folders present across the organization. Organizational partners and vendors can help organizations match their HR system and network, as well as analyze the current authorizations for each organizational role. This allows the organization to decide which HR attributes should be used for each organizational role.

The result of this alignment could be, say, that 90 percent of a particular organizational role (e.g. the role of nurse at the Cardiology department) involves particular authorizations. The logical step would then be to automatically assign all new employees in this role the same authorizations. By letting the occupancy rate govern the assignment of authorizations, a first step can be made toward populating the RBAC matrix in a very simple way. This approach can save you a great amount of time and money.

Strong password policy

Many laws and regulations require the implementation of a strong password policy (strong authorization). To achieve this, it is possible to activate the complexity rules in Windows Active Directory. However, you should first ask yourself whether this complexity is desirable for your organization, as this may have major consequences for your end users.

The default Windows Active Directory password complexity rules are often insufficient. Systems administrators need a more flexible solution that, among other things, makes it possible to determine individually, which rules are applied and when.

As mentioned, earlier, implementing a stricter password policy has major implications for end users, as well as the organization as a whole. End users will need to remember more complex passwords and since most of them will have trouble in doing so, the helpdesk is bound to receive more password reset calls.

To reduce the number of password reset calls, Tools4ever offers SSRPM (Self Service Reset Password Management), which lets end users reset their passwords independently by providing answers to a series of simple, predefined questions.

A stricter password policy also has consequences for the productivity of employees. They will have to remember more complex passwords for all of their applications, and will be far from happy with the situation. For this reason, many organizations choose to implement a single sign-on solution to cater for the needs of their end users.

A single sign-on solution (SSO) allows end users to log in once, after which they are automatically assigned access to all applications and resources across the network, without having to log in again. SSO functions as an additional software layer that handles all login processes and automatically enters the required credentials (automatic login). SSO also ensures that, in addition to Active Directory, a strong password is automatically used for all the underlying applications.

Two-factor authentication

When implementing a strong password policy is insufficient in itself (e.g. because end users end up jotting down their passwords), it is possible to use strong (two-factor) authentication. Rather than entering their user name and password, users will log in by holding a card against a card reader and entering a PIN code. This results in strong authentication, as two-factor authentication is based on something the user has (the card) and knows (the PIN code). In this set up, the card ID is linked to the user’s Active Directory credentials.

It is also possible to implement strong authentication without having to purchase additional hardware. In this scenario, the use of smartphones takes on an important role. This is because smartphones offer various authentication capabilities, such as facial recognition (using the camera), voice recognition (using sound recordings) and geographical positioning (using GPS). This type of low-cost authentication is the latest trend in the field of authentication.

For more details, please visit our website.