Spend less money by improving access management and control

Some weeks ago I attended a conference on Identity and Access Management. After a very interesting public confession by former Barings employee Nick Leeson, I had a drink with a security officer and an IT Auditor. The IT Auditor said that “Cases like Société Générale and Barings show the necessity to better control the use of IT”.

All nodded, but the security officer replied, “Control over the use of IT must become more efficient; you can’t keep pouring in more people to control controls”. Though a friendly man, I couldn’t help hearing a slightly insulting tone making us understand that his company wasn’t what you would call a very happy customer when it came to audit fees.

Clearly, the security officer had a point. From a business perspective simply increasing the amount of controls and the amount of people controlling controls is a dead end track. Particularly if you take into account that the new ways of making information available inevitably make the problem bigger. During the same venue a senior analyst predicted: “To better organize that thousands of users will get the correct access rights out of millions is imperative today for reasons of efficiency, effectiveness and ease of transformation. In addition, this management problem will  become even bigger and will run further out of hand when organizations start implementing Service Oriented Architectures”.

Business Drivers
So, according to this analyst better managing and controlling access to information serves not only the Auditor’s interest; there is obviously more to it. The Auditor looks at effectiveness: do people only get the access rights they need? Do you ensure that access is revoked once obsolete? There is also a bigger business value: by better organizing access to information you make people work instead of wait for access when they change departments or participate in a project. Moreover having organized access well, IT Management is much better able to adopt business dynamics such as reorganizations, acquisitions and divestments. Wouldn’t that be a real change, IT not being considered an impediment to change?

Detective versus Preventive
Now if we look at the solutions available in the market to better organize access you immediately see a big emphasis on detective controls. Vendors, in what they refer to as the identity or access governance space, all offer automated support for processes they refer to as attestation or recertification. These processes require managers to periodically approve endless lists of authorizations for users within their field of responsibility. Though highly unpopular with the managers that need to attest, one may argue that at least some contribution to effectiveness is made. Definitely misleading, however, is the use of the word governance in their communication (unless you feel safe driving around by viewing in the rear mirror only).

To start offering real added value one needs a completely different concept; a concept based on preventive control. Only if the control on authorization processes has been established, which is a prerequisite for preventive enforcement, can the added value for business come into play. Let me explain.

Access Management: A Familiar Challenge
To get a better grasp of the challenge that comes with managing and controlling access, I often make a comparison with a warehouse. Imagine that the millions of access rights are your stock and imagine that these millions of access rights need to be distributed correctly over tens of thousands of people. Then it makes sense to learn and understand how warehouse managers solved the problem of management and control. Times are long gone that they simply relied on taking inventory or other detective controls. Instead what these people have been doing is to create a management system to help meet demand quicker (prevent waiting) provide the right material (efficiency and effectiveness) and above all to know as early as possible what business requires to become really responsive and start contributing to achieve business objectives. 

In this sense managing access to information is just the next big thing in the rise of business applications. In the eighties we saw accounting software offering an administration to help business to control and manage the use of financial assets. In the nineties ERP Software offered business an administration to control and manage the use of production assets.

Looking at warehouses today we see them managed with the help of an administration that serves exactly the purposes we are looking for when managing access rights. It helps to group material in logical bills, it helps to know as early as possible what the business orders, it helps to know who is entitled to request and who isn’t, it helps to ensure that the correct material is issued and taken back again, it helps to change the warehouse when new materials are adopted.

To better understand the difference between the type of management application based on preventive enforcement of controls and products that facilitate detective controls such as taking inventory, I’d like to share a little story I recently read and which illustrates the difference perfectly:

Once upon a time in a small village lived two families, the Johnsons and the Mullers. Both families had a general store and, as the next city was 4 days travel away, each store had a big warehouse. At the end of each month both families had to work the weekend to attest the stocks in their warehouse. Then someone discovered gold nearby and the village’s population and way of life soared along with the Johnsons and Muller’s’ stores and warehouses.

Now not all of the new inhabitants behaved as the original folks did – some were even down-right mean and criminals. The law-abiding citizens wanted to protect themselves so both stores decided to sell not only beans and cookies and such, but also guns and ammunition. The sheriff wasn’t amused and passed regulations saying that not everyone was entitled to buy arms. He made a list of persons that would not be allowed to purchase and own a gun and posted it in the Post Office.

The sheriff was a strict man and he added more people to his list every few days. With these new rules in place, one family, the Johnsons, decided they would now need four days, rather than two, at the end of every month to really check their stocks and accounts and verify that no gun or bullet had been sold to anyone on the sheriff’s list.

Then, one dark and stormy night in December, a man was killed on the street! Everyone saw who shot him - Jack. The sheriff was outraged as Jack had clearly been on the list since the previous week. The sheriff went to the Johnson’s store and arrested old Jacob Johnson, the owner. The sheriff knew he wouldn’t have to go to Abe Muller, the other store’s owner. Why was the sheriff so sure?

Well, when the sheriff hung his list for the first time on the Post Office wall, Abe started thinking. “OK, the sheriff’s list is important. I want to be a law abiding citizen, like all Muller’s. What if I could find a way to prevent the selling of guns to people on the list?” Abe went to the sheriff and asked for a copy. The sheriff happily gave him one and promised that every time the list was updated, Abe would get a new copy. Abe instructed his family not to sell guns or ammunition to people on the list. The Muller’s were compliant with the sheriff’s law – not once every few days or once per month, but continuously in control over their critical warehouse assets.

After some weeks in the local jail Jacob was released and he solemnly promised himself that he would never return. To meet the sheriff’s regulations and not sell to people on the list he started to attest his stocks every week rather than every month. In the meantime, the village kept growing and, unfortunately, so did the sheriff’s list. Now Jacob really became nervous and decided not only to check his stocks weekly, he would also have his own controls checked. Jacob hired an external auditor who explained that he would need to check on a weekly basis to see whether Jacob’s employees were checking correctly. Of course, this would not be cheap; but, at least at the end of every week Jacob would know what had happened for sure. Some years later the Johnsons went bankrupt.

The Muller’s business grew and grew. Over the years they extended their checks to cover all of their goods. The Muller’s came to see that some of their stock was never sold whereas some was sold out already on the first day of delivery. They started to improve their warehouse management and today the fifth Muller generation runs a coast to coast operating warehouse store. And still no gun will be sold to anyone on the sheriff’s list.

Maturity Model for Access Management
The story shows not only that detective controls alone do not do the job, it also shows the contours of certain maturity stages an organization can be in when it comes to access control and management. With no ‘counter’ whatsoever between business and IT one must rely on detective measures. That would be stage 0. A first step from stage 0 to stage 1 would be to establish this counter, to establish a single point of administration where all requests come in and which is also the single point of instruction for system administrators and which can facilitate preventive control.

We have now stopped the water from pouring in the polder from everywhere, we established the control that is the only foundation to jump from stage 1 to stage 2 where we can start cleansing systems and start optimizing the main authorization processes.

On authorization processes. There are essentially 4 authorization processes. (1) Request and Approval of roles, typically supported by workflow; (2) governance ensuring that access is managed in accordance with applicable policies and rules, typically ensured by an access management application; (3) Reporting, render accountability, typically offered as an add on to the management application; and (4) Synchronization and Provisioning, which refers to the automated exchange of information with both source systems (that provide authoritative information about users their attributes and organizational information) and target systems that receive authorization instructions from the access management application. Request, Governance and Reporting are very much business driven processes, provisioning is really IT driven as it regards internal IT processes.

Required Functionality
These maturity stages are not only very helpful in determining an approach to establish control and start managing access; it also dictates the requirements for access control products. It must not only facilitate the use of detective controls (to take inventory in an efficient manner); it must also offer a clear outlook on further maturity stages. It must provide a foundation to set next steps: First to implement a ‘counter’, the single point of administration that enables preventive control;  second to establish the foundation to optimize the authorization processes of request, governance, reporting and provisioning and start contributing to business objectives.

Information Deployment Efficiency (IDE)
Now the elimination of so called waste in authorization processes comes into the game. To determine where the biggest wins are when it comes to optimizing authorization efficiency one organization introduced IDE-indicators. IDE stands for Information Deployment Efficiency, the ability to make the right information available to the right users. IDE-indicators refer, for example, to the time between being hired and having the right access; or the time between participating in a project and getting the necessary access.  Indicators can also be defined at a tactical level: the time between reorganizing a business unit and ensuring people have access in accordance with the new structure or the time between acquiring a new business and having integrated the new users’ access. If control or compliance is the main driver, think of IDE indicators such as the time between a user having left the organization and the actual revocation of access, or the time between requesting and delivering a specific report.

Contribute to Business Requirements
With these performance indicators a project team is able to define the current baseline and set objectives that clearly contribute to business requirements. Bringing time to get full access from four weeks to one day is a clear and measurable objective which helps an IdM-project team to maintain focus. Which introduces an interesting observation: project teams tend to forget why the project was started in the first place. All too often incredible effort is put into specifying and re-specifying connectors that must support all sorts of policies the team could think of. Does that really contribute to business objectives?

IDE based performance indicators force your project team to determine where the biggest improvements are made to meet the objective. Is it really in automating provisioning as many IT departments tend to think? Or is most of the efficiency lost on the business side? HR personnel not aware that processing their data once every thirty days causes the lion’s share of the delay? Or the project manager only requesting access for his new project member once he stands in front of his desk?

When investing in Identity and Access Management products, consider how they contribute to optimize authorization processes. That is where the waste is, not in the internal provisioning processes.

Conclusion
I strongly believe that managing access is the next big thing in IT. IT itself has become a significant production asset and the use of information has become a critical success factor in achieving business objectives. Old style detective control measures simply do not do the job and a new approach is needed. In determining the approach it is useful to learn how business mastered the use of other assets and apply these lessons in managing the deployment of information smartly.

Contact details:
Sabine Iltink, Marketing Manager
T: +31 6 4323 7080
E: s.iltink@bholdcompany.com
www.bholdcompany.com