3 steps to improve identity and access management without undermining productivity

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Brandon Shopp*,
VP of Product, Network Management
 

Connecting state and local government leaders

By Brandon Shopp*

|

A solid IAM program ensures the right users have the right access to the right applications without compromising security.

Today’s government IT professionals set rules that provide users with access rights, improving workflows while protecting agencies against threats. Unfortunately, the prevalence of mobile devices and cloud-based applications has made it increasingly difficult to establish those controls. This has led to significant security and compliance challenges, particularly surrounding identity and access management (IAM).

Agencies still find themselves dealing with the aftereffects of the bring-your-own-device revolution. Mobile devices and cloud services have increased efficiency and reduced costs, but they’ve also made it tougher for IT teams to get a handle on network activity. Employees are turning to many different applications -- some of which may be considered unsanctioned “shadow IT” apps -- and will often request access rights to get around what they consider security roadblocks. Those rights might be granted by IT managers who don’t have the time or resources to check everyone’s credentials or clearance levels.

Some employees even leave their agencies with access rights still intact. Whether it’s resources leaving for other jobs or a silver tsunami of retirees, it can be difficult to keep track of who still has privileges.

All these factors contribute to an increase in accidental or intentional insider threats that can pose significant risk for data loss. According to a recent SolarWinds federal cybersecurity report, careless or untrained insiders are the largest source of security threats for government agencies.

IT managers must develop IAM policies to protect their agencies without undermining workplace efficiency and productivity. Here are three steps managers can take to gain better control of their agencies’ security postures without impeding their colleagues' workflows.

1. Audit who has access and what they’re accessing. This is virtually impossible to do manually; there’s too much to consider and limited resources with which to work. But automated monitoring can help teams gain a good perspective on which applications are being used and who’s using them.

Managers can start by scanning their Active Directory and file servers to analyze user access to systems, files and data. This process can help identify unknown users and those who have been inadvertently granted access rights to data outside their purview. It can also uncover users who may no longer work for the agency yet still have access rights to the network.

2. Set up role-specific templates aligned with security policies and enforce a policy of least privilege. Inevitably, users will get promoted, move to different teams and increase their responsibilities. In anticipation of these events, IT managers should incorporate an overall policy of least privilege that can be enforced on a case-by-case basis. Does a particular employee still need access to a specific application? Does that IT staffer really need access to all of the agency’s servers, or just the 10 for which she's responsible? Providing access privileges for only what’s necessary can go a long way toward keeping things under control.

Setting up role-specific templates aligned with the agency’s security policy is a good way to manage this process. For example, a CIO might have widespread access to various applications and tools, but a senior manager might be granted more restricted access. Whenever employees' roles change, their access must also change to reflect their new responsibilities. This helps ensure access privileges correspond with the agency’s security policies.

3. Shine a light on shadow IT. It’s not just users IT needs to worry about; it’s also the applications they’re using. Monitoring can also shine a light on the applications users might be accessing without knowledge of the IT department. Applications posing risks can be disallowed, while those deemed safe can continue to work yet be closely monitored to ensure they remain secure. Or, applications that may once have been deemed questionable, but have proved helpful for some users, can be reassessed and authorized if they pose no threat.

IT professionals can’t secure what they can’t see. Shining a light on all of the applications being used can offer a clear understanding of what’s going on, so they can better secure their networks. This is particularly important for file-sharing services that could increase the risk of data loss.

Avoiding unwanted friction and preserving productivity

Managers can be forgiven for perhaps wanting to take an “all-or-nothing” security approach and block wide swaths of applications, users and devices. Yet that's not a practical approach -- it can lead to unwanted friction between government employees and IT staff and undermine agencies’ ability to take advantage of the many benefits provided by cloud-based applications.

Creating a solid IAM program is a much better option. It ensures the right users have the right access to the right applications without compromising security. That’s a win-win for everyone.

NEXT STORY: Top 25 software vulnerabilities

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.