Account and Access Right Management
Growth of the number of information technologies used in organization makes task of account and access right management more and more relevant.
Open Technologies implements complex projects on automation of account and access right management and integration of accounts into information security assurance systems.
Automation level improvement means that more and more business processes are executed with special corporate applications. Consequently, the number of operation-relevant corporate multi-user applications grows at large and medium enterprises. From the point of view of information security the most important task of such a heterogeneous environment is management of access rights to information assets.
Nowadays the heterogeneous environments mostly use separated access right management practices. With this approach the access right policy is created separately for every application, and administrators are held responsible for the policy implementation. This approach has several minuses:
- it is difficult (or even impossible) to check compliance of user's corresponding duties to access right policy;
- it is not possible to manage user's rights in all applications at once (for example, create or delete all accounts of one user);
- access to information assets rights receipt are often not automated and thus very labor-intensive which leads to administrators' and users' performance degradation because they cannot receive necessary access;
- access right receipt procedures are often "informal" which leads to risks of wrong authority allocation.
To implement this task effectively Open Technologies offers implementation of complex account and access right management system. Construction of the system of the kind became possible due to specialized products (automation systems for administration, metadirectories, LDAP directories) and worked-out methods to introduce these systems.
The cornerstone of the complex account and access right management system is corporate access right policy which is a part of the general information security policy. Access right policy describes possible user roles, rights connected to every role and defines requirements to procedures of allocation and change of roles and authorities. If necessary, experienced consultants of Open Technologies will make complex inspection of the enterprise information security and help the customer's specialists to update information security policy or redefine it.
Formalized access right policy is entered into the system kernel. Specialized program agents connecting kernel and corporate applications can help to compare corresponding user rights and access right policy. Differences can be eliminated automatically, require agreement of authorized managers or included into report to be eliminated manually later on.
The solution includes unified user data administration point. This unified administration point allows creation, change and deletion of all accounts in all applications from single screen; at this, repeated data entrance is eliminated. It is also possible to synchronize data in all applications. It will allow automatic creation or deletion of user accounts based on data from the Human Resources automated system. At this, user rights defining use of information assets will be set automatically according to access right policy.
The complex system advantages:
More efficient mechanism of account management will reduce risks connected to incorrect information input about access rights and will enhance users' and administrators' performance. Actually, users will not face the problem to wait access to necessary application (for example, for new employee) and administrators will not have to do routine work on account management in several applications.
One of components of this solution is possibility to automate access management procedures. Sequence of works on granting the access rights is formalized as a workflow including, for example, request for approval to the authorized manager.
This mechanism can also be used to automate other procedures, for example, issuing permits, office appliances to employees, etc.
Other possibilities of the solution proposed:
- possibility to create report reflecting when (and on whose instruction) the certain access rights were granted;
- "self-service" - users can individually request to create accounts or change access right, change passwords in applications (possibly in all applications at once) - at this, these new passwords are checked to correspond to requirements (minimum length, no repeated symbols, impossibility to duplicate the password, etc.), user also can change forgotten password after answering to control questions;
- detection of "orphan" accounts not attributed to any of known users;
- possibility to lock access of separate user to all applications at once;
- delegated administration - task account and access right management can be transmitted to authorized employees, for example, in charge of information security, heads of subdivisions or HR department employees, at this limitation of administration authorities is preserved (for example, the subdivision head can control only user accounts of his/her department);
- integration with control of access to web-applications, one-fold registration (Web and Desktop SSO) and multi-factor authentication.
Under creation of these solutions Open Technologies uses software products of the leading manufacturers of the field: administration automation facilities (IBM Tivoli Identity Manager, Oracle Identity Manager, NetIO Identity Manager, Quest One Identity Manager, Microsoft Forefront Iderntity Manager), metadirectories (IBM Directory Integrator), LDAP directories (Microsoft Active Directory, IBM Directory Server, Oracle Internet Directory, Novell eDirectory).
Qualified consultants and engineers of Open Technologies provide whole range of services on automation of account management and management of access rights to information assets - from inspection and updating of access policy to choice of software products, designing, installation and commissioning of the system, trainings for personnel and technical support of the solution implemented.