The term Identity Management (also known as Identity and Access Management) describes the management of digital identities and their access rights within a company. It ensures that the right people have access to the appropriate data at the right time.
The introduction of an identity management system enables companies not only to meet legal requirements transparently, but also to increase their efficiency in terms of authorization processes.
"Who had access to a given drive at given time ?" Or "What permissions does our new colleague in the accounts department need?" - If you can only answer these questions by time-consuming research within the IT department, you should get to grips with the subject of Identity and Access Management (IAM).
Companies use a variety of applications for the implementation of business processes. Central directories such as Microsoft Active Directory can control access to a corporate computer, specific drives, or client applications. More extensive applications however, have usually have their own authorization management system. In small companies, the number of these applications may be small, but in more complex businesses an immense number of authorization processes are created, which not only have to be dealt with by the IT department but also by the other departmental areas.
So a few days can quickly pass before it is clear which permissions for a new employee have been ordered and then set.
Identity management not only brings transparency to these processes but also leads to the adoption of relevant applications, with a significant increase in efficiency.
Optimization of authorization processes
Generic workflows can be used, e.g. to obtain approvals from the relevant supervisor, the technical managers of the application or a central department (for example, Human Resources). This allows, permissions to be assigned automatically, thus significantly reducing processing times.
Self-service portals allow users to request permissions directly or request a new password. Similarly, re-certification processes for relevant permissions can also be established which significantly reduces costs and lead times.
Digital identities and roles
For groups of employees, the required permissions can be attached to their roles as a group. For example, the HR system can be used as the leading system for the award of basis access rights. Depending on the implementation structure, regionally-dependent drive permissions or department-related application permissions can be assigned automatically in this way.
Rules can be used to define relationships between roles, as well as certain conditions and exclusion criteria, and these are taken into account when providing permissions. There is also the possibility of overarching roles that contain other roles.
Advanced use cases
A central identity management system creates opportunities that are difficult to achieve with conventional user administration processes. Examples are:
- Automated onboarding of employees (internal / external)
- Reduction / blocking of permissions in the case of absences
- Prevention of "orphan" accounts / permissions
- Efficient changes of staff to other areas of responsibility
- Centralized reporting on authorization structures
Consistent accounting / control of all permissions
The granting of permissions (and any further changes) are consistently documented in the identity management system in auditable central databases. The information includes:
- For whom was which authorization sought;
- By whom was an authorization sought;
- Who gave the authorisation? (Where applicable)
- When was the permission set / withdrawn?
- For what period of time did a user have a specific permission?
Security / Compliance
Thus, for any "digital" identity, it is clear which permissions have existed at which point in time and why they were set up. Also rules can be implemented that exclude the granting of unauthorized combinations of permissions (for example, invoice verification and payment approval).
Not only will the company thus reduce the risk of in-house abuse, but also the IT areas (not least the administrators) are protected from false accusations by the consistent ability to trace authorization processes.
In particular, for regulated entities such as insurance companies, telecommunications providers and banks, this is more than helpful and contributes to the efficient implementation of legal requirements. Thus, specific national provisions can be centrally managed through rules that are applied globally.
There are numerous directives concerning the handling of sensitive company - / customer data. Among the most important directives / frameworks that are applied in Germany are:
- Sarbanes–Oxley Act
- Basel II / III ...
- BDSG (Federal Data Protection Act)
- KWG (German Banking Act)
- BSI (Federal Office for Security in Information Technology) - Grundschutzkatalog (basic catalogue of protective measures)
Conclusion - identity management projects are not purely IT projects
The introduction of an Identity Management System requires the involvement of different areas of the business. Depending on the objectives of a particular implementation, this extends from the HR department (as a key starting point for all primary authorization processes) to the Facility Management section for the design of the access rights issuing process.
In a time of intense competitive pressures, it is extremely important to identify the drivers for an identity management project:
- Risk Management
- Security: Is the emphasis on the identification of permissions / accounts that are not needed / not allowed?
- Compliance / Audit: Are there new requirements from Compliance or was there an adverse finding that could be solved in the future with the Identity Management System ?
- Cost optimization / more efficient authorization processes
- Is the focus on the reduction of user / administrator related costs or shortening the onboarding / offboarding period?