It seems that every week the news is reporting on yet another story of hackers accessing sensitive information, compromising credit card systems or bringing websites to a crawl. One thing you seldom, if ever, read about is employees accessing information on the company's network they really should not be able to access.

Organizations spend a tremendous amount of money and effort to try to prevent outside intrusion, but they often overlook the internal controls needed to secure data from prying eyes. Furthermore, imagine if the ability to control who has access to what data and applications within a company disappeared overnight. Anyone would be able to access payroll records, sensitive client documents and, in healthcare, confidential patient records.

Obviously, losing that amount of control over data would be devastating to an organization and will likely never occur. Organizations tend to treat sensitive data, like payroll information, with the utmost level of security.

However, they often overlook access rights to other components of their data stores and applications, as doing so becomes cumbersome and difficult to manage. The IT group takes the task of access rights seriously and tries to do the best they can with limited tools and resources.

Still, the question needs to be asked: "How we can do a better job without increasing headcount or spending inordinate amounts of money?"

To get started on an identity and access governance project, the following are suggested steps to ensure success:

  • Document the current processes for creating and managing user access rights to data and applications — both on premises and in the cloud
  • Classify the data and applications according to sensitivity
  • Determine what levels of control and approvals will be for each level
  • Research and implement available products for identity and access governance (IAG) that meet your requirements for workflow and can be adapted to your process
  • Use the IAG platform to perform and audit of the current access rights
  • Based on the audit, determine which access is appropriate and establish a role-based access control (RBAC) matrix to ensure correct rights are assigned to individuals going forward
  • Correct any errors for existing employee's access rights
  • Implement an automated request and approval process for additional access rights above the standard for employees in specific roles
  • Implement attestation procedures for managers and data owners to review and change access where needed
  • Ensure proper procedures to revoke all access and network rights when an employee leaves or is terminated

The implementation of proper procedures and the auditing of existing rights is an extremely time-consuming process. Many commercially available systems are in the marketplace to assist with the processes.

Additionally, by implementing tight controls with the appropriate approval processes, an organization can be assured that an employee's access will be consistent with what is required to perform his/her job responsibilities, and nothing extraneous.

Not having correct identity and access management policies and systems in place can open an organization up to lawsuits, loss of client confidence and violation of federal regulations. A seemingly trivial error could also have the same ruinous effects as having no system at all.