CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | December 20188CIOReviewIN MYPINIONMANAGING USER ACCESS AND IDENTITY FOR BETTER SECURITYBy Genady Vishnevetsky, Chief Information Security Officer, Stewart TitleM anaging user access and identity has been a growing pain for years. We are no longer supporting just human identities. The latest explosion of new smart devices is not making governance over identity access easier. We have very little control over these devices, yet they are penetrating our networks and connecting to our systems. We can no longer ignore IoT (Internet of Things) as they are becoming an integral part of running information and operational technologies. Existing and emerging regulatory and compliance requirements are enough to last us a lifetime. If you are a public company, Sarbanes-Oxley requires rigorous discipline around granting, revoking, and auditing access controls. So are many other compliance programs (i.e. PCI DSS, FFIEC) and frameworks (i.e. NIST, ISO). These regulations and standards require at minimum a proper user management including timely onboarding and offboarding, segregation of duties or least privileges, and regular audits. Compliance is not easy; manual compliance is even harder. That is why many audits still find orphan accounts and lack of proper termination across business applications year after year.According to 2018 Verizon Data Breach Investigation Report compromised accounts and circumvented access controls were responsible for the majority of breaches in 2017.Mergers and acquisitions add complexity to already exacerbated the problem. Enterprises often under a time constraint to integrate another entity in record times which often lead to multiplying directory services and adding foreign user identities that are not properly accounted for. Legacy applications and duplication of services put a strain on the already complex problem we are trying to solve.Lack of proper governance over user identity has hunted us for decades. For years we are trying to find a silver bullet. One just does not exist. Identity Governance and Administration is an integral part of the Identity and Access Management program and focuses on access entitlement and certification, policy provisioning. The key word in IGA is governance. Governance over identity comes first. It is not uncommon to create processes and not Genady Vishnevetsky
< Page 7 | Page 9 >