Access management: not so much a Service Desk ticket, more a way of life
10:00 Tuesday, 03 August 2021
UK Cyber Security Council
It’s very easy to think of managing users – setting up new logins and de-provisioning people’s access when they leave – as something that the Service Desk just does as a day-to-day activity. In reality, though, Access Management is a science and a skillset in its own right.
In a company of modest size with fully integrated systems – where all user access is provisioned via a central directory service such as Microsoft Active Directory – access management can be fairly straightforward. Few of us are blessed with such pure worlds, however: most organisations have apps that don’t integrate with AD. These might be externally hosted systems that can’t (or just don’t) integrate with your directory service, or internal systems that you simply can’t hook up. And even with apps that do work with the directory service, it’s not uncommon to have a hybrid world where AD does a simple permit/deny to the application and the user’s precise rights are configured within the application’s own permissions control panel.
The moment we introduce complexity, we have to introduce controls to manage that complexity. We need rigorous rules about not just what applications to provision for a new starter, but what their permissions should be and who approves access (hint: if the answer is usually the user’s line manager, you’re probably doing it wrongly). We need ways of knowing what we need to de-provision when someone leaves: in a largish company with many dozens of systems, when a 20-year veteran leaves the organisation it’s a non-trivial task to be certain of what apps they had access to (and hence which ones we need to de-provision them in) unless we look at every single one. Of course, in an ideal world we would use automation to deal with some of the gaps between applications and directory service integration, but even that can be far from easy and is likely to involve a series of unique automations to fit different applications’ user access control systems.
This is why Identity and Access Management (IAM) is not just a thing, but is a specific skillset and even an entire industry. IAM jobs are plentiful on job sites and pay well (the first result in a job search I just did for “IAM Manager” roles gave a salary range of £50k-£70k), and there are many, many vendors who will sell you a product to help you manage your access management (of course, there’s a cloud variant too, termed “IAMaaS”).
It should be no surprise that IAM is a complex area that has a great deal of focus in many companies: after all, it is an essential component of a positive user experience for new joiners, and is absolutely critical when one tries to ensure that someone who leaves the business has his or her access curtailed promptly and completely.
So yes, adding and removing user access may well “just” involve someone raising a Service Desk ticket. But the science, skill and effort behind it is way more than that.