Identity Management Security Benefits
User administration, especially in a heterogeneous environment where each user has multiple login accounts and appears in multiple directories, has many inherent security problems. In many organizations, weaknesses in change management processes are a major source of security problems.
Learn more about:
| Security problem | ID-Synch® solution | |
| User profiles persist long after their owner has been terminated | Unreliable business processes and incomplete access profiles mean that when employees or contractors are terminated, systems administrators may not be notified on time, or at all. Additionally, without a global record of every login ID on every system that belongs to a user, it is difficult or impossible to ensure that all of the login accounts associated with a user are reliably and promptly disabled after a termination. As a result, users may retain login privileges long after they have left an organization. | ID-Synch helps organizations to implement reliable and prompt termination, through automated termination, consolidated access reporting, and use of a consolidated user administration console. |
| Users accumulate entitlements like lint | Over time, as users move around an organization, changing responsibilities, they accumulate login accounts on various systems and specific security privileges, all required to do their jobs. Unfortunately, it is difficult or impossible to determine when their old privileges are really no longer needed, and so should be removed. As a result, users just accumulate privileges. This is a security problem, as it increases the risk of security violations due either to honest errors or compromised accounts. | ID-Synch can be used to periodically review what login accounts and privileges each user has, to identify suspicious entitlements, and to remove those that managers and system owners agree are truly no longer required. |
| It is difficult to determine what users have what access to systems and data, and how they got it. | Lack of a database that connects login IDs across systems back to individual users, and that tracks security entitlements across systems, makes it difficult or impossible to determine just what access rights any given user has (globally), or conversely what set of users have a particular combination of access privileges. Local or absent change logs make it impossible to track how users got the access rights they have. This makes it difficult to meet regulatory requirements for effective internal controls. | ID-Synch can be used to report on user access rights and change history globally. |
| Users have non-standard login IDs and account configuration | Different human security administrators create accounts in different ways, inadvertantly violating standards. Without effective standards enforcement, it is difficult to control the access rights of large user populations. Without enforcing login ID naming conventions, it is difficult to correlate security events across systems. | ID-Synch creates all new users with standard login IDs by cloning pre-defined, standardized template accounts. |
| Users get new accounts and security changes without proper authorization | Overly-restrictive change control procedures, or simply difficult to use change request forms, may lead business users to bypass the change request / routing / authorization process entirely, and demand security changes directly from systems administrators. In effect, lack of usability can defeat security. | ID-Synch makes the change control process easy to use, with a built-in self-service workflow engine. Users have no incentive to bypass the system when it is fast and effective. |
ID-Synch improves the security of user access administration processes:
- When users leave the organization, their systems access is terminated promptly and reliably.
- All access changes are subject to a rigorous, globally-enforced approvals process.
- Audit reports listing accounts per user and access privileges for users across systems, can be generated easily and can be used to identify and remove inappropriate access privileges.
- Access change history, including who submitted each request, who approved it and the change details, are logged and are available as an audit trail.
- Orphan and dormant accounts are easily identified and are subsequently deactivated and deleted.
- New accounts are created in compliance with security policy and standards.
- Initial passwords are never set to default, guessable values and are never transmitted in plaintext e-mail.