How can I manage the identity journey for staff and students without experiencing access creep?
Access creep occurs when users are granted more access than they need. It is a common consequence of ineffective identity and access management (IAM). It leads to over-permissioned users which increases the risk of security incidents if such accounts are abused or compromised. Managing access permissions is challenging and organisations often ask us how they can do it most effectively for their staff, students and other users. It can seem like a daunting task, especially if you have many users or complex permissions structures. However, having the right strategies in place will help you manage it more easily.
Line managers and/or service owners should periodically review their users’ access rights.
These reviews will help to ensure that people only have the access they need. Reviewing access rights is a foundational activity that, once embedded in your organisation, will help identify security risks and prevent unauthorised access. It can be labour intensive to implement and operate, and so having the right tools to help automate the reviews is critical. This is known as attestation or user recertification.
Your organisation should implement role-based access control (RBAC) for IAM.
Assigning access based on role reduces the risk of access creep by preventing users’ permissions from accumulating over time and ensuring they are relevant to their role. It will also help you track permissions, grant and revoke access quickly, and ensure that users only have access to the resources they need. Automated permissions management can also reduce the burden on IT staff, who may otherwise spend significant time manually assigning and revoking access permissions; or not do it at all.
Establish clear J/M/L policies and processes regarding RBAC.
Organisational roles should be defined with permissions assigned to each role appropriate to their duties. These should be linked to clear processes regarding joiners, movers, and leavers for each role. These should be developed with input from key stakeholders, such as department heads, HR and Finance, to ensure that they align with the organisation’s business and security strategy. Make sure that these are documented and updated as the business evolves, and communicated to relevant staff. You may want to consider issues such as toxic combinations and segregation of duties for certain roles and duties. These can reduce the business risk of a bad actor attempting to subvert these systems.
In conclusion, managing role-based permissions for staff, students and other users is essential for ensuring the security of your organisation. Developing a clear policy, automating permissions management and regularly monitoring permissions are the key steps that will reduce the risk of unauthorised access.
Learn more about Able+
If you would like to know more about Able+ and how it can support your organisation, please get in touch with our identity and access solution experts.