The UK’s National Cyber Security Centre defines access management as “policies, processes and systems which support binding an individual to a set permission within your system”. But to offer real value to the business, access management must go further. Access management needs to proactively help the organisation achieve the maximum value from its investments in its systems and people. There are several aspects to this.
The first aspect is provisioning. This is the process of granting users with the permissions they need to access their entitled services. Users will have different entitlements for different roles. These will change as they progress through the organisation, and as services are onboarded and offboarded. Finally, provisioning needs to be timely, so that users always have the right level of access.
Managing this manually can be costly and error-prone. Automation is possible using homegrown code, but this can be costly to develop and maintain and is rarely transparent.
The second is discovery. Your organisation will provide many services to its users. There will be a cost to providing these services, such as a subscription. To recognise a Return on Investment (RoI) these services must be used. However, this won’t happen if users aren’t aware of them. And so each underused service wastes the business’ resources.
It can be tricky to raise awareness effectively. For example, users only need to know about those services that are actually relevant to them. User education can help, but your service portfolio can change faster than users can be informed. That’s why it’s essential to make services easy to discover.
Authentication and authorisation
The third aspect, authentication and authorisation, is the most critical part of access management. It has to be simple, or else users may struggle to access their services. It has to be secure, to prevent access by unauthorised users. And it has to be seamless, so that users enjoy a consistent experience of services delivered by a wide range of providers.
Achieving all three of simple, secure, and seamless can be challenging because there can be trade-offs or additional costs. For example multifactor authentication (MFA) can enhance security, but also reduce simplicity and increase costs by requiring an MFA solution. Getting the right balance is the key to effective access management.
Reporting provides the “who, when, what” of access management, giving visibility into the use (and abuse) of your services. Because so many services depend on access management, reporting can offer an unparalleled view of the use – and abuse – of the organisation’s digital estate. This helps with a range of activities, such as end user support, identifying security issues, and assessing the RoI of your SaaS subscriptions.
In summary, an access management solution must go beyond “keeping the bad guys out”. To create real business value, it needs to increase efficiency through automation and reporting; and drive user productivity by providing simple and seamless access to all their services.
If you would like to know more about access management, please visit our Able+ pages