In any organization the management is always worried about whether the users are only entitled to what they are supposed to have access to. Despite this the concerns go into long list which might be varying depending upon the organization to organization.
If you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is “it isn’t scaling well.” — Paul Vixie, on NANOG
Examples of such concerns would be:
a. Who are all the employees have access to finance data or applications ?
b. Can some employees see the margin ?
c. Is my sales commission to marketing agents exposed ?
d. Would me price sensitive information is shared with people who are insensitive to it ?
e. Who are all having administrative privilege’s in Purchase process ?
f. Whether person x entitled to approve certain thing where he is not supposed to ?
g. Whether temporary or contract staffs have access beyond the specific period ?
h. Why manufacturing team is not having access to efficiency report?
Typical challenges in governance of identity entitlements/access:
These may be look like very general but essential questions which happens at business as usual. Business stakeholders would ask these questions. Emails are exchanged on approvals for access. These access request would go though either help desk systems as tickets or emails but it comes with various challenges.
a. Access provided for short term are not revoked by date
b. Access provided were limited
c. Actually organizational changes in terms of roles are not reflecting appropriately in access
d. Privileged/elevated access gone unmonitored or unnoticed
e. Complexity in provisioning the access – Grant/Revoke – Automatically through workflows
f. Different owners for the different applications
The principle of least privilege means limiting user access to the lowest level of rights that they can have and still do their jobs.
Identity Management solutions comes to the rescue which can manage certifications of identities. Tools such as IdentityNow indicates who has access to what and whether the access at appropriate level. Governance teams can ensure they have the accurate reflection of current status of access. This would provide peace of mind to the stakeholders in the context of Information security and maintain compliance. Tools like IdentityNow by Sailpoint makes this certification process seamless and easy.