The challenges
During a recent inventory of the systems and functions that the The Company's IT department supported, a number of challenges were detected. We will now have a look at some of the Identity Management (IdM)-related challenges that were detected.
Provisioning of users
Within The Company, they discovered that it can take up to one week before a new employee or contractor is properly assigned their role and provisioned to the different systems required by them to do their job.
The Company would like for this to not take more than a few hours.
Identity lifecycle procedures
A number of issues were detected in lifecycle management of identities.
Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or changed their job. Termination and disabling of identities was also out of control. They found that accounts of users who had left the company more than six months ago were still active.
After a security review, they found out that a consultant working with the HR system still had access using VPN and an active administrative account within the HR system. The access should have been disabled about six months ago, when the upgrade project was completed. They also found that the consultant who the company engaged to help out during the upgrade, didn't even work for the firm any more.
What The Company would like is not only a way of defining policies about identity management, but also a tool that enforces it and detects anomalies.
Highly Privileged Accounts (HPA)
Although The Company has been successful in reducing the number of strong administrative accounts over the last few years, a few still exist. There are also other highly privileged accounts and also a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.
The Public Key Infrastructure (PKI) within The Company is a one layer PKI, using an Enterprise Root CA without Hardware Security Module (HSM). The CSO is concerned that it is not sufficient to start using smart cards, because he feels the assurance level of the PKI is not high enough.
Password management
The helpdesk at The Company spends a lot of time helping users who forgot their password. These are both internal users as well as partners, with access to the shared systems.
Traceability
They found that they had no process or tools in place to trace the status of identities and roles historically. They wanted to be able answer questions such as:
- Who was a member of the Domain Admins group in April?
- When was John's account disabled and who approved that?