Access control – a serious priority

By Paul Heiden

Imagine this scenario - the brakes on a series of new cars fail and the car manufacturer responds with the comment “modern cars are so complex these days that it’s not surprising when something goes wrong in production.” People would be up in arms! But believe it or not, certain banks have tried to blame the complexity of their IT systems and processes when unauthorised transactions have caused huge losses. Governments have also used the same excuse when private data is made public. Whilst an organisation’s systems may be very complex, not even the most desperate lawyer would try to absolve blame on that argument alone.

These days IT systems are considered a production asset - just like the machines used in a production line at a car plant. IT systems are a key production asset for banks and governments. Logically, like any other production asset, management has to be responsible for the deployment, control and management of their IT systems. 

An organisation's user access processes determine how an employee uses the company's IT systems - what they should and can do within each system. These processes are increasingly referred to as Access Governance (AG). AG is not to be confused with Identity and Access Management (IAM), which allows IT Managers to ensure that all systems act in accordance with user access settings as prescribed by AG. IAM belongs to the realm of the plant manager, AG to the business.

The problem is, all too often the link between AG and IAM is broken. The way many companies grant access to information can be likened to requesting for a light to be switched on by sending a postcard to the power supplier. Steps between decision and execution are numerous and lack transparency. What's more, the outcome is uncertain. You may or may not be granted light at the end of the process.

Should organisations give priority to mending the link between AG and IAM? Absolutely, because without it you're making an expensive production asset wait. That asset might be your employee, a recently hired consultant, a business partner or even a valued customer. Doesn't it make sense to give the person who notices it is getting dark permission to switch the light on without further interference?

If you need another reason for improving control over your IT systems, then compliance and liability should be reason enough. If your processes are broken or inefficient, they undermine control, and control is needed for compliance.

These days your management team must be able to prove it is in control of its production assets. Lack of control not only results in incompliance and audit issues, but it can lead to liabilities. It doesn't matter whether the production asset is machine or a bank's trading system, if you can't prove it has been properly managed you invoke liability.

So, for reasons of control and efficiency, businesses must manage access to their information systems. Luckily it is an investment that you'll see an immediate return on. Control is the stepping stone towards efficiency. Control means certainty that the right users get access to the right information; that the people who are able to submit expenses cannot approve them. With control you have reliable processes with predictable outcomes.

Access Governance prevents people from waiting, it ensures control, it proves compliance, it enables an organization to respond to restructures or new business models. It is the "conditio sine qua non" - to be able to rely on IT services like you rely on power. What is required is easy to use, accessible products that help organizations to establish control and shift the management of their systems from the IT department over to the business.

What organizations need is a true management console to manage access to information regardless of where that information sits. You can't even begin to consider cloud or collaborative business unless you control access.

Biography

Paul Heiden is BHOLD's founder. Paul started his career as officer of the Royal Netherlands Marine Corps. Having obtained a master degree in business and Roman law, he became legal counsel and frequently encountered the problem of controlling access to confidential information. In this period he developed the ideas on business-driven access control that became the foundation for BHOLD in 1997 and developed into BHOLD's leading business applications for access management today.