As most companies and organizations adjusted to the abrupt change, I must admit that I missed some of the challenges they were facing. Our company, One Identity – which is a Quest Software business, was probably more prepared than most since a good portion of the employees are remote or travel extensively. I assumed the capabilities were already in-place for others, but I was wrong. Many of the things our IT organization has put in place for us to work from anywhere, such as automated role management, provisioning, MFA, access to internal and cloud-based applications, automated management of O365, etc. just didn't exist or weren't setup to scale for many companies.

After the initial surge to work from home I spoke to a few companies and realized how wrong I was. Some were telling users to setup a time to come to the office alone, pack up their workstation onto their wheeled office chair, and take it all home to plug in and call back to the helpdesk to get it working. A few companies only have VPN access for admins and these admins operated without any auditing, but now they need everyone on the VPN. Many, many organizations I spoke to had things like MFA, secure remote access, privileged account monitoring on their long term roadmap of IT projects but hadn't started these security initiatives because they had yet to see the immediate need.

Many companies have experienced large changes. Mergers and acquisitions can create challenges for IT departments in finding ways to enable and secure access for users. The big difference between the mass change of 2020 and an M&A is time. This year’s version of change required near-instant enablement. A drawback to this rapid change is the loss of the security consideration.

The ‘just enable the users’ mentality can cause huge access risks if security objectives aren't considered. This is why I'm a big fan of automating access. When automation handles access, you can manage change quickly by just changing steps in the process – or better yet – set the process rules to detect change and adjust accordingly. For example, if a user’s status is changed to ‘remote employee’ in the HR system, an automated process can detect this and adjust their permissions accordingly. Other attributes, such as VPN access, or access to new or different cloud-based applications can be automatically updated simply from one action. Then, when (and if) it changes back, automation will re-enable the user to work from a corporate office setting.

The thing to remember when enabling access is to remove access that is no longer needed. Take Active Directory for instance. In the good old days of AD, helpdesks manually granted access via group memberships in AD. If a person moved departments, a call to the help desk would get someone to add group memberships to allow them access to shares and such. Sometimes, the helpdesk would leave them in the old groups for a transition period. Sometimes helpdesk folks would even remember to go back and clean up the old access. Keeping in mind, access determinations were at the discretion of the helpdesk operator (another reason I'm fan of automation is that it enforces decisions made by the security policy). Now consider this process when you flip the bulk of your workforce to remote workers. What access changes needs to be added AND removed?

To bring this ‘bounce back’ to a close, as the old AD admin that I am, I rely heavily on the automation of AD through One Identity Active Roles. The features and connectors give me the ability to take security policies, whiteboard what I need to happen, and implement through automation. This capability saves me time and money, but the greatest benefit is how this effect the overall security policy of the organization by making sure the users are enabled in exactly the right places.

Blog Post CTA Image

Anonymous
Related Content