Constantly In Control: Automating the internal IT audit

Dean Wiech, Managing Director of Tools4ever

The work of IT managers and security officers is often controlled by impending internal information audits. Typically, the audits are regarded as a highly inconvenient and an unpleasant experience, and in many cases, the results and the recommendations for improving processes as a result of the audits are simply ignored because there is no mandatory requirement to do so.

Additionally, in many cases audit recommendations can be identical to previous audits because little has changed in relation to the organization’s processes. Some reasons for not making the recommended changes found in the audit are because sorting out authorization issues, for example, is a very complicated process and takes considerable resources, or the organization lacks the expertise to resolve the issues in-house. Consequently, IT managers and security officers simply learn to live with the results of the audits and continue on as if nothing is amiss.

A major problem organizations experience is considerable difficulty when they don’t have access rights structures in order, but as time goes on, many are beginning to realize that instead of an annual audit followed by an extensive clean-up operation, automating the process and exercising constant control over the identities in their networks, their lifecycles and their authorizations is a more efficient, manageable process.

What’s leading them to realize the importance of more regular information audits? The following are a couple examples:

Broader information access
Information must be more widely accessible. For example, alongside staff members, external parties need or want to have access to parts of data and information systems — a wholesaler offering a portal for its clients to place orders or download invoices; citizens increasingly needing access to a local municipality’s information systems for tax and property information; healthcare patients steadily acquiring more access to their own medical information.

As organizations continue to expand their Active Directory usage, they are also taking the initial steps to build an ancillary LDAP store to simplify access to other information systems. This means that in addition to identifying employees on the network, external parties must now also be identified and provisioned there as well. As such, a user ID and password are needed and people have to authenticate themselves to gain access to the information systems.

Quality and control
Two things are important when it comes to providing information to external parties. First, the quality of the information is vitally important. The information provisioned must be consistent and of a high quality. Second, even more so than for internal clients, it is crucial that an organization retain control over the authorizations for external clients.

What this means: There is a necessity to block the user accounts of internal employees once they leave the organization so that they no longer have access to confidential data after departure. For external clients, this need is even greater because there is often a monetary component. In other words, a client that has not fulfilled its payments should no longer have access to the service. In short, for internal clients the issue is one of security while for external ones there is usually a cost convolved involved.

Audits as business events
Broader information access is the main reason why organizations want to have more control over identities, lifecycles and authorizations. But how is this achieved? How can an IT manager or security officer conduct perpetual audits?

Remove this duty from the IT department and shift it to the organization, letting the organization audit itself continually rather than perform annual audits. To achieve this, organizational leaders need to make a major transition and translate IT-related events into business events. These events can be offered through a self-service dashboard as long as the events are understandable and can be performed easily.

For example, if a manager sees on his dashboard that a new employee was added to an AD group yesterday then it has to be absolutely clear what action is expected of him. The manager can decide that this involves a high-risk change and that he wants to approve these authorizations first. However, it may be the case that the manager is in general agreement with the authorization and that he does not wish to see the notification in his dashboard for the next several months. The manager might also decide that the assignation should be cancelled or that the authorization is given a specific duration. Either way, the event becomes a business operation and the responsibility now lies on the employee’s manager to manage the employee’s access rather than having the IT department oversee all of these tasks.

Assign appropriate roles for review to specific business departments
Self-service portals can be set up so that the business leaders can understand it and this can be done in a very pragmatic way. Start with identifying the most common change requests submitted to the service desk. Often these are password reset calls and requests for application, system or physical access. Password reset calls are fairly easy to address through a self-service system. Software exists to enable end-users to reset their own passwords once they have authenticated themselves through a number of personal and security questions.

For requests for logical access, identify which applications or folders rights are most often requested then assign an owner per application. For applications with a high risk, agreement is needed from the appropriate department. For applications that incur high licensing costs, assign the responsibility to a license manager. In this simple manner, gradually shifting the ownership of assigning authorizations and managing identities to specific departments with the organization allows the business to audit itself continually.

Dean Wiech is managing director of Tools4ever, a global provider of identity and access management solutions.