During a recent inventory of the systems and functions that their IT department supported, a number of challenges were found. We will now have a look at some of the identity management (IdM)-related challenges that were uncovered.
The Financial Company discovered a new employee or contractor may wait up to a week before accounts are provisioned to the various required systems, and the correct access is granted to each person to do his/her job. The Financial Company would like account provisioning and proper access granted within a few hours.
A number of identity life cycle management issues were found.
Changes in roles took way too long. Access based on old roles continued even after people were moved to a new function or after they changed their job. The termination and disabling of identities was also sometimes missed. A security review found active accounts of users who had left the company more than six months ago.
The security review found one HR consultant who had left The Financial Company months ago that still had VPN access and an active administrative HR account. The access should have been disabled when the project was completed and the consultant's contract had ended.
The Financial Company would like a way of defining identity management policies and a tool that detects anomalies and enforces their business policies. The Financial Company would like business policy enforcement to take no more than a few hours.
The Financial Company has been successful in reducing the number of powerful administrative accounts over the last few years; however, a few still exist. There are also other highly privileged accounts and a few highly privileged digital identities, such as code signing certificates. The concern is that the security of these accounts is not as strong as it should be.
Public key infrastructure (PKI) within The Financial Company is a one-layer PKI, using an Enterprise Root CA without hardware security module (HSM). The CSO is concerned that it is not sufficient to start using smart cards because he feels the assurance level of the PKI is not high enough.
The helpdesk at The Financial Company spends a lot of time helping users who have forgotten their password. Password resets are done for internal users as well as partners with access to shared systems.