As my company’s Chief Information Security Officer, I know that people have access to things they shouldn’t. How do I find out who and what?
idax uses analytics to minimise risk by only giving employees the things they need to do their job, working on the principle of ‘least privilege’.
In all organisations there are people who have access to applications and data they shouldn’t. Some will be harmless but others could pose a significant threat.
There are a number of reasons why this excess accumulation may occur.
- rights from one job are carried forward to the next
- rights are copied from someone with a similar (but not the same) role
- managers sign off without a full understanding
- genuine provisioning mistakes occur
Without any rule setup or user input, idax uses predictive analytics to spot people with access to important information and applications which could put the company at risk.
I am a security architect. My organisation has thousands of old unused accounts, people with access rights from previous jobs and employees that have left. The only answer seems a massive one-off review. How do I clean up the environment and build an architecture that ensures its stays clean when it’s in such a mess to start with?
An organisation that has attempted one or more access management strategies may have 2 or 3 Active Directories, 1 or 2 LDAPs, and find itself with many thousands of roles and hundreds of thousands of access rights.
This may include duplicate assets and a proliferation of roles with up to 90% of redundant access rights under management.
Cleaning this up and making it repeatable so that effective management can take place is an enormous task that can only be accomplished through automation.
Using an advanced analytics engine, idax identifies redundancy and duplication and produces highly detailed reports, essential to a clean-up operation. And the good news is that because it’s an ongoing process you don’t need to do it all in one go.
idax identifies the correct roles for people to be assigned to and automatically and dynamically defines accurate role templates for ongoing maintenance of the environment.
I am responsible for regulatory compliance. I have all these regulations to meet but don’t have the tools to help. So many seem to be focusing on access control. I keep throwing resources at it but I’m no closer the answer.
Organisations have a regulatory duty to maintain high standards of compliance (PCI, ISO270001, EU Data Protection, NIST Cyber Security Framework) for access to data they hold.
The current method of adhering to these standards is by quarterly or half yearly review of a subset of access rights, in addition to an independent annual survey by an external audit team.
This is extremely costly and time consuming, and many organisations are becoming concerned that the effectiveness of manager reviews is questionable at best.
Until now, there has been no alternative, but quarterly reviews could become a thing of the past as idax automates employee access rights and their review.
idax checks each new asset request for risk and compliance and delivers real-time predictive analytics to your desktop at the click of a mouse and a fraction of the cost.
As a Security Architect, I see dynamic role based access control as the answer to managing our access rights but so many companies have tried and failed. Is it even possible?
Dynamic role based access control has been a goal for many companies that want to manage their access rights with optimum efficiency.
Adhering to the principle of ‘least privilege’ and fitting people into roles that are most suited to their job and only giving them access to the tools they need, minimises risk for the organisation.
Even the most advanced organisations have found the task impossible due to the complexity of role management and the inability to spot high risk profiles as they develop.
idax makes this goal achievable by using advanced analytics to create and maintain templates, based on your organisation’s access profile. idax’s risk measurement methodology, also allows staff to have specialist rights that may be out of the ordinary, whilst ensuring that the organisation continues to monitor their access.
idax is dynamic and adjusts access risk in an ever changing environment to highlight outliers with unusual access.
I am a CIO and one of my team found an analytics tool they say can help with our audit requirements but I am concerned about the start-up and ongoing management costs.
Many analytics tools that promise excellent results require a huge setup, a massive machine learning cycle and significant ongoing effort to maintain their rules database. This often offsets any cost savings and ends up costing more to achieve than the promised benefits.
idax does not require any complicated rule setup or maintenance. Our algorithms are based on the latest non-learning techniques, meaning that it works right from day 1. It simply requires user access information and the associated organisational structure.
idax immediately produces targeted and actionable results to enable you to manage down your organisational risk.
My CIO says I need to justify the license cost of the IAM software given that it’s not in the budget. How do I show it can be cost neutral or better?
IT managers have a limited budget and thousands of excellent programs to choose from. They must ensure that they are optimising value, getting tangible benefits and reducing overall spend.
idax has repeatedly demonstrated that it will provide a string of operational benefits as well as significantly reducing the bottom line spend of an organisation.
Cost savings are achieved by:
- cutting expensive analysis resources
- reducing the number of change request tickets and the real operational cost of access control
- decreasing time spent on manager review
- lowering the cost of audit remediation
idax demonstrates a significant return on investment as the license costs a fraction of the savings that will be achieved.
I am a manager and one of my team insists they need access to an application but our IT department says they dont know whether they should have it. I am unsure whether to sign off on it. Is it a risk?
Managers receive certification requests when an employee asks for access to a new application, or during review periods to recertify access rights for their team.
A team may consist of multiple employees, each with hundreds of access rights, many with meaningless names. This creates an impossible task for the manager to know which assets pose a risk and should be either allowed or removed.
idax quantifies the risk rating for each employee and warns the manager of those with high risk, recommending which specific access rights to remove to reduce the risk.