November 7, 2017 By Raghu Dev 3 min read

This is follow-up to a previous article about access management. Be sure to read that first installment for the full story.

When you have several heritage access management or access governance tools spread throughout the corporation, the view of an employee’s access is splintered. When security solutions are siloed, owners of applications and purveyors of shadow IT within the business unit often fend for themselves by creating spreadsheets, scripts and programs. They also worry about conforming to policies and maintaining compliance to pass internal and external audits.

To shine a light on this disjointed access data, employees, managers, security professionals, application owners and auditors need a single view of all accesses throughout the organization.

A Consolidated View of Actionable Access Data

When presented on a single pane of glass, this access data is powerful. It helps employees understand their privileges and enables them to track their own requests and approvals. It also helps managers and, in same cases, application owners control access and determine what level of access to grant employees.

With a consolidated view of access data, organizations can move from simply seeing data to acting on it. Actionable dashboards enable security teams to bring visibility to otherwise hidden data, which is the first step toward access management transformation.

For managers, application owners and employees alike, user experience can be a double-edged sword. Many employees cite lack of a single tool to view access data as a key pain point. The need to use several disparate access management tools is not conducive to productivity. Furthermore, a fatigued user experience can lead employees to adopt alternate access methods that may be insecure.

A Manager of Managers

To consolidate this disjointed access data into a single pane of glass, we created a manager of managers model. We integrated heritage access management tools via connectors and simple file transfer methods to our centralized access platform. The critical step here is to design a many-to-one data model.

We avoided boiling the ocean. Being surrounded by agile gurus and true practitioners, we used small, iterative steps to achieve our goal. We knew it would be hard to come up with a model that would never change, so we made sure our data model, while being well-managed and suited to fit most of the heritage tool’s requirements, remained flexible. Flexibility can be both a boon and curse, however, because with greater flexibility comes greater responsibility.

Transformation should not be merely a lift-shift process — it must improve upon the data quality and, especially, the process. To boost data quality, the security team should question entitlements, roles and groups, representing only the best and most useful. For example, the team can improve the process by reducing the number of steps required to request access. The final step is to introduce new functionalities, such as risk-based access controls.

Ensuring a Silent Access Management Transformation

To ensure a nondisruptive, or silent, transformation, the first step is to represent the access data from heritage tools in the centralized access platform. Then create a connector using the access management platform as a one-stop shop to view all accesses. Next, build two-way connectors to heritage access management tools. This enables the platform to process access requests and send the data back to the heritage tools.

Once users begin to use this platform for all their access-related needs, unplug applications from the heritage tools and move them to the new platform. This virtually seamless transition achieves our silent transformation goal.

Stay tuned for the third installment, in which we will discuss the next steps in your access management transformation, such as managing security’s impact on the business and introducing risk-based access controls into the environment.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today