December 28, 2022

Identity Management – Know Your Environment, Know your Users - WST

Managing and supporting all the identities used by an organization is often a daunting task, but it is critical to understand and control all the various accounts in your environment. The process generally starts with knowing your environment first.

Active Directory is still the primary user database for most organizations, but it is rarely the only place that holds critical accounts. As organizations add services and resources, the number of platforms that require identity management goes up. Consider the short list of services below, think about what your organization is using for each, and then consider how users are managed in each platform:

  • HR/payroll services
  • Virtual infrastructure
  • Firewalls or IDS/IPS systems
  • Wi-Fi solutions
  • Third-party platforms
  • Antivirus or other security systems
  • SIEM or log aggregation systems
  • Et cetera, et cetera - the list goes on and on

  • Each of the systems and platforms above are going to have some sort of user database associated with it - even if it’s just for administrative access - and each of those should have identity management processes in place. Some platforms may offer single sign-on services that can reduce administrative overhead – but that doesn’t remove the need to understand and catalog that integration.

    When you have documented your environment, then you can look at enhancing your identity management processes, such as staff onboarding, offboarding, and role changes, to include the added platforms and systems. You can also tighten up your regularly scheduled user access reviews to include the additions, so you can confirm that the day-to-day identity management processes are working as expected.

    Lastly, consider that these processes may not just be IT’s responsibility. Human Resources, business unit leaders, internal audit, and Information Security may all have input when answering the “who needs access to what” question. Think about the specifics in your organization and consider what gaps may need to be addressed.

    Authored by: David Bentley, CISSP

    You May Want to Read More:

    The Scope of SARs - Something Old and Something New - WST

    January 28th, 2021

    Did you know that filing Suspicious Activity Reports...

    In with the new year, out with the Flash - WST

    January 21st, 2021

    The writing has been on the wall for a while now ...

    Back to Basics: Understanding Risk Concepts - WST

    January 15th, 2021

    People often make judgements and decisions about risk...

    Keep your institution off the evening news.

    Contact Us