Who’s allowed to do what? Secure control and management of access rights.

Improve your IT governance with more control and transparency in managing access authroizations

Secure access management for IT applications is and remains a great challenge for all companies, and not only since the European General Data Protection Regulation (EU-GDPR) came into force. The task is extremely complex from a purely technical and organizational standpoint. Depending on the industry, it is additionally hampered by the obligation to fulfil regulatory requirements. Especially in the finance and insurance sectors, a multitude of legal and supervisory specifications focus on risk data and risk reporting as well as regulating user authorizations.

Following the already very specifically formulated minimum requirements for “Risk Management of Banks” (MaRisk), the German Federal Financial Supervisory Authority (BaFin) took a further significant step in October 2017 with the “Banking Supervisory Requirements for IT” (BAIT) in detailing the requirements for banks’ information technology. And the GDPR continues to tighten the thumbscrews, significantly increasing the depth of regulation for the business processes of financial service providers.

Authorization assignments for data, networks, applications, etc. are a constantly changing structure

In our conversations with customers, we often find that meeting the various legal requirements poses major challenges not only for the financial sector with its complex IT landscapes, but also for many companies in general. IT application landscapes are growing continuously. Today, it is common for many employees with constantly changing responsibilities to use many different systems – every day. Experience has also shown that it is not unusual for each IT application to have its own separate authorization concept. If the responsibilities within the workforce change, the authorizations must also be reassigned, i.e. old authorizations removed, and new ones added. This inevitably leads to an accumulation of incorrect authorizations, which are often overlooked in the complex IT landscape. Depending on the size of the company, authorization management and administration become increasingly unmanageable, pushing the respective departments to their limits. This can even result in a complete loss of transparency and control with serious consequences, both in terms of internal security and fines.

Security gap: authorization too generous

Although IT managers and business departments are well aware of the resulting and impending risks, it is astonishing that they still often work with isolated, specific tools and security policies, and rely on manual processes for enforcement – also because the grown structure of different systems and applications often lacks suitable alternatives.

The manual control of access rights involves an increased risk of errors, since settings in many different systems have to be read out, analyzed and updated in a cumbersome and time-consuming way. In addition to the high risk of errors, this is also costly. Union Investment, one of the largest investment companies in Germany and part of the cooperative FinanzGruppe, recognized this problem and was looking for a new solution to both meet the strict compliance guidelines and improve the provisioning and deprovisioning of access rights. iC Consult solved the problem by extending the use of the existing Identity Manager to cover Access Lifecycle Management for close to 10,000 active directory accounts.

With modular and scalable Identity and Access Management (IAM), IT managers are demonstrably relieved. IAM continuously reviews permission structures, records access rights for all IT systems, and reduces errors in authorization assignment by automating the provisioning and withdrawal processes. Business and IT departments can use the various roles created in the IT shop to quickly and easily check which employees can access which data and whether they should, in fact, have this authorization. Thanks to role templates, requests for application access can be approved extremely quickly, and without risk. As a result, this automation of Identity and Access Governance saves time and money and consequently increases employee productivity. Authorization assignments can be clearly displayed at any time, practically at the push of a button, which also simplifies compliance checks for internal and external auditors.

Conclusion: Access governance – a smart investment in data protection and security

Access to IT systems and data must be managed efficiently and dynamically, taking into account all applicable compliance requirements. Well-conceived identity and access management can create enormous added value by increasing process efficiency and simultaneously reducing administrative effort. With a web-based frontend, specialist departments (or even users) can select access rights using role templates, for example. And thanks to intelligent policies and the automation of the application process, permissions can be granted faster and more securely. Any necessary approval processes are automatically triggered. A central identity and access management system completely resolves typical end-user criticisms regarding cumbersome application processes across multiple tools and media. Long waiting times due to sluggish approval and assignment processes are a thing of the past. Standardization of access governance processes – such as automated and function-bound allocation and withdrawal of authorizations, regular recertification and a constant target-performance comparison between approved and allocated access rights – not only improves usability but also significantly increases compliance.