A World Without Access Management
By Robert Doswell
What would happen if access management disappeared overnight and we had to cope without it? What impact would this have on an organization and its information systems? Let’s have a quick look at this scenario.
We’ll begin by recapping on what exactly access management means in the modern world.
There are three closely related terms that cover the aspects of “access management”; “authentication”, “authorization”, and their control – access management.
With authentication the user simply proves that they are who they say they are. This could be a simple log on to a home PC, a log on to a corporate network or even a log on to a till in store. The most common form of authentication in these situations is via a username and password, or maybe a username and a PIN in the till situation. A stronger form of authentication couples the username and password with something physical, such as a card swipe, token or some form of biometric scan.
Authorization follows once the user has successfully authenticated themselves. Even on the home PC, authorization has a role. A parent will undoubtedly have more control over their home PC compared with a child. Web content should be restricted for the child, where it may be open for the parent and the child’s account should be limited to prevent system setting changes.
In the corporate world, things get much more complex. Depending on the user’s function, role and location, access rights, home drive locations, printer settings, etc. all change. Even in an SME this can quickly become complex. In large organizations, specialist access and identity management products are required to successfully manage this access management. In a nutshell, your authentication validates your authorization. By successfully authenticating a user, it can be guaranteed that the individual does not have too many rights, and they do not gain access to information that is not pertinent to them.
So what would happen if access management disappeared?
Let’s look at this from real world examples. We’ll remove authentication and authorization from the picture completely and focus on situations where data has been compromised:
Sony PlayStation – April 2011
Following claims that hackers stole 2.2 million customer credit card details (including CVV’s), Sony took the decision to take down the PlayStation network for more than a week.
eBay – May 2014
Online marketplace eBay forced users to change their passwords following a cyberattack that compromised its systems.
Ashley Madison – August 2015
The online adultery site suffered a huge data breach, with a list of their subscribers being leaked on the dark web. The media reported suicides as a consequence.
How does this relate to access management?
Although these firms suffered a compromise, the potential for data theft and its impact is identical if you remove access management. Users are privy to data they should not be. How many hospital workers have access to patient information? How many workers in financial markets have access to
personal bank accounts or credit card details? If access management didn’t exist, none of the above could be controlled. Data leaks and fraud would be uncontrollable, and untraceable.
Physical Access
Access management also covers physical access. In hospitals, users carry swipe cards to grant them access to specific areas of the hospital, again depending on their function, role and location. If access management disappeared, hospital workers, for example, would be free to roam wards, stock rooms, server rooms, etc. at will. There would be no control over drug access. No patient security.
Legislation and regulations
If users are able to use a network with no authentication, it becomes impossible to comply with any form of legislation or regulation. It is impossible to identify who read a file, who accessed a database or even who processed a credit card transaction. Try and answer the question “who did what, where, when, and why?” Impossible.
Licence Control
In a modern Microsoft-centric network, access to applications is controlled via Group management; a simple way to control who has access to what. For example, a salesperson may be added to the group “sales.” All members of the group “sales” have access to Salesforce and the sales departmental share. As sales people come and go, by simply managing the sales group access to Salesforce is easily granted or revoked. However, without access management, users would individually need to request applications or all users could be given access to all applications. This either results in a situation that is unmanageable, or one that is extremely costly.
Commercial interests
There are commercial organizations that have a great deal of interest in authenticating users, for example, publishers or a company like LinkedIn. These organisations may offer some of their content free of charge, but for a far larger part of their content the user must be able to authenticate himself or herself, and of course pay. If there was no access management, there would no longer be any ability to draw a distinction between free and paid content.
These are a few examples of the issues which might arise in a world without access management. And, of course, any number of other scenarios could be devised. A world without access management would certainly be a world with a lot of concerns.
Robert Doswell is managing editor of Tools4ever UK, part of the global provider of identity and access management solutions.