![\"RobD\"](\"https:\/\/solutionsreview.com\/identity-management\/files\/2015\/08\/RobD-150x150.jpg\")
<\/p>\nBy Robert Doswell<\/p>\n
What would happen if access management disappeared overnight and we had to cope without it? What impact would this have on an organization and its information systems? Let\u2019s have a quick look at this scenario.<\/p>\n
We\u2019ll begin by recapping on what exactly access management means in the modern world.<\/p>\n
There are three closely related terms that cover the aspects of \u201caccess management\u201d; \u201cauthentication\u201d, \u201cauthorization\u201d, and their control \u2013 access management.<\/p>\n
With authentication the user simply proves that they are who they say they are. This could be a simple log on to a home PC, a log on to a corporate network or even a log on to a till in store. The most common form of authentication in these situations is via a username and password, or maybe a username and a PIN in the till situation. A stronger form of authentication couples the username and password with something physical, such as a card swipe, token or some form of biometric scan.<\/p>\n
Authorization follows once the user has successfully authenticated themselves. Even on the home PC, authorization has a role. A parent will undoubtedly have more control over their home PC compared with a child. Web content should be restricted for the child, where it may be open for the parent and the child\u2019s account should be limited to prevent system setting changes.<\/p>\n
In the corporate world, things get much more complex. Depending on the user\u2019s function, role and location, access rights, home drive locations, printer settings, etc. all change. Even in an SME this can quickly become complex. In large organizations, specialist access and identity management products are required to successfully manage this access management. In a nutshell, your authentication validates your authorization. By successfully authenticating a user, it can be guaranteed that the individual does not have too many rights, and they do not gain access to information that is not pertinent to them.<\/p>\n
Let\u2019s look at this from real world examples. We\u2019ll remove authentication and authorization from the picture completely and focus on situations where data has been compromised:<\/p>\n
Sony PlayStation \u2013 April 2011<\/strong><\/p>\n Following claims that hackers stole 2.2 million customer credit card details (including CVV\u2019s), Sony took the decision to take down the PlayStation network for more than a week.<\/p>\n eBay \u2013 May 2014<\/strong><\/p>\n Online marketplace eBay forced users to change their passwords following a cyberattack that compromised its systems.<\/p>\n Ashley Madison \u2013 August 2015<\/strong><\/p>\n The online adultery site suffered a huge data breach, with a list of their subscribers being leaked on the dark web. The media reported suicides as a consequence.<\/p>\n Although these firms suffered a compromise, the potential for data theft and its impact is identical if you remove access management. Users are privy to data they should not be. How many hospital workers have access to patient information? How many workers in financial markets have access to<\/p>\n personal bank accounts or credit card details? If access management didn\u2019t exist, none of the above could be controlled. Data leaks and fraud would be uncontrollable, and untraceable.<\/p>\n Physical Access<\/strong><\/p>\n Access management also covers physical access. In hospitals, users carry swipe cards to grant them access to specific areas of the hospital, again depending on their function, role and location. If access management disappeared, hospital workers, for example, would be free to roam wards, stock rooms, server rooms, etc. at will. There would be no control over drug access. No patient security.<\/p>\n Legislation and regulations<\/strong><\/p>\n If users are able to use a network with no authentication, it becomes impossible to comply with any form of legislation or regulation. It is impossible to identify who read a file, who accessed a database or even who processed a credit card transaction. Try and answer the question \u201cwho did what, where, when, and why?\u201d Impossible.<\/p>\n Licence Control<\/strong><\/p>\n In a modern Microsoft-centric network, access to applications is controlled via Group management; a simple way to control who has access to what. For example, a salesperson may be added to the group \u201csales.\u201d All members of the group \u201csales\u201d have access to Salesforce and the sales departmental share. As sales people come and go, by simply managing the sales group access to Salesforce is easily granted or revoked. However, without access management, users would individually need to request applications or all users could be given access to all applications. This either results in a situation that is unmanageable, or one that is extremely costly.<\/p>\nHow does this relate to access management?<\/strong><\/h4>\n