The Genesis of Privileged Identity - The Creation and Evolution of The Superuser - Page 2
The Identity Management Lifecyle
IT folks are somewhat like the priest or the rabbi talking about the bible and conducting well-organized and inspirational services, but not necessarily understanding the history of the materials that they are presenting. Many of the true scholars of the area know information that may shock the flock and those that are leading the flock.
For IT staff, the shock would be if they knew how the process of provisioning and deprovisioning results in many open privileged accounts that can easily be compromised. The process starts with someone getting hired. With a great, wide, wonderful world of systems out there, from an empty mill machine on a factory floor or a key card to get you through the front door, all the way to an SAP system or a really complicated line-of-business system that was written decades ago by an unknown in-house developer, new accounts need to be created to give that employee access to these systems. Some systems may be Windows-based, some Linux-based. It's a smorgasbord.
So, when HR brings someone on board, they have the problem of governance and access in which they have to get these people enrolled into all of the systems they need. The difficulty is that with all these systems out there--legacy and new--you've got to figure out not only what systems they need to access, but what kind of access they're entitled to. In the Windows world it is fairly easy. You just use Active Directory to classify employees in roles for the applications and level of privilege they need and you're done. When they leave the company, you delete them from Active Directory and when they change roles you change their group membership. But enterprise applications creep far beyond the Windows platform and that's the problem. You've got all of these other cultures and religions to deal with as well--and believe me, other operating systems are religions -- plus the cult of SAP and Salesforce to think about.
And while many applications do have Active Directory connectors built into them, the dark secret of it all is that these connectors don't work all that well. Further complicating things, when a company adds new systems, takes systems away or updates them, almost universally these provisioning systems stop working and that ends up leading to more manual work. Over time, these systems just fall apart.
One of the most common reasons the systems fail to work is the problem of paperwork. When someone leaves or joins the company there's usually a mountain of paperwork involved and there is a workflow that has to be taken care of that is partially manual and partially electronic. Now, when people come in to the company, their bosses are screaming for access and that becomes top priority. But when they leave, the sense of urgency just isn't there.
Similarly, when employees change jobs the demand from up top is for new access but no one pressures for the old access to be turned off. So you run into a queuing problem where you can go into any given organisation and potentially see hundreds of people who have been discharged or who have changed their roles and there is one HR person who has to go through the paperwork and go into the systems to get rid of their accounts. A back log inevitably grows. People forget about accounts that are orphaned and left opened to be used by the previous employee or anyone else that knows about the account. The danger is that not only are there low-level accounts in this back log but also privileged accounts with a direct pipeline into the company's most important IT assets.