Projects around identity and access management (IAM) are usually management by IT départements. Sometime there is a lack of consideration for the business needs when it comes to access management. When thorough roles and authorizations setup is not well handled, end users end up with broader access than what they would need, generating risks for the organization.
We also see a lack of governance and procedures when it comes to roles and authorisations management. As time passes, an initial framework can regress mainly due to:
- A complex ERP and software environnement with more and more end users
- Evolution of roles due to business needs generation seggregation of duties (SoD) issues that are not being considered.
- The technical management of authorisations takes a lot of time for the administrators:
- They manage a lot of access requests, sometimes without management approval and without,
- They multiply manual low added value tasks as user access provisioning, password reset etc.
Considering these aspects, the regulators, external auditors and investors expect companies to cover risks related to access management and segregation of duties. This is now also under the radar of internal functions like compliance, internal control and internal audit.
The challenges around these topics are well known of our IAM, authorizations and GRC experts. We are supporting several clients on the implementation of a compliant and secured access rights management process including authorisations management, SoD and user life cycle management.