Some have it, and don’t know how to use it optimally – some need it, but don’t know it. What about you?
With this article we will give you a little insight into the world of Identity and Access Management (hereafter IAM), show factors of IAM and briefly explain why an IAM solution makes sense.
What is a IAM?
To understand why you need an IAM, you first need to know what it is. An IAM helps manage access rights and user identities. It allows you to track and determine which user needs access to what, when, and how it can be granted. It is a role- and rule-based system that assigns rights to users by means of digital identity. This increases the efficiency and effectiveness of processes.
Onboarding, for example, can be accelerated through automated processes and the new employee, who is immediately noted in the system, is given the required access rights from day one. The IAM can be connected to the HR system via an interface and pull the relevant master data from there. This makes a good impression on the newcomers right from the start ;-).
An IAM improves security and data protection in the company. The control of access rights allows precise control of which employee gets to see what. This ensures that everyone only has access to the data that is relevant to their work processes. This measure to prevent data leaks and violations of the Data Protection Act, are welcome when auditing processes (so here, too, can score points with the IAM). Trade secrets laws are respected and the risk of system attacks from internal sources is minimized.
Another advantage is the overview of the corporate structure and control options. With a better overview, undesirable structures can be tracked down and eliminated. Shadow IT no longer has a chance to continue…
Opportunities through IAM
IAM is not just an IT issue. (If you thought that so far, then by all means read on!) It is a system that works globally at all levels of the company. From IT, to HR, to management/board. Therefore, the mandate for an IAM should come from the board to IT and HR.
In order to implement and use an IAM solution efficiently and profitably, you should consider the following points:
- Rights assignment and access rights: Here you should proceed according to the need-to-know principle. Who needs to know what for their work? Only this information should be shared with the people. This ensures data protection, as well as business secrecy. Information can be divided into categories. For example, it is harmless if every employee can see the meal plans of the different locations. However, not every employee should be able to see the addresses of colleagues.
- Application area: Accesses and systems should be classified for each area of the company. What task is performed here and for which employees could this be relevant? For highly critical areas, it may even be necessary to use Privileged Access Management (PAM). For example, when it comes to admin access for the highly critical internal IT infrastructure or a closed area in the clinic. Here, access is only granted for a short time window and the activities performed by the person are logged in detail.
- Cloud/on-Premises System: Analyze the way the company works. Is a cloud or on-premises solution a better fit? Or perhaps a hybrid solution? How would your company like to position itself in the future?
- Number of applications: Be aware of which systems should and must be connected. Then create a prioritization list of systems according to criticality and data protection criteria. Which systems should be connected first?
- Interfaces with systems: This point also has to do with the selection of the systems to be connected. To connect large company-relevant systems, you must first perform a risk analysis. All authorized personnel access must be justified. In addition, you should compare your IAM with the existing interfaces of the applications already in place to find out where a connection is possible with little technical effort.
- Group structure: Do you employ subcontractors? How do you maintain the master data of your employees and temporary workers? Usually, two different master data systems are used for this purpose. Salaried employees are maintained in the HR system, temporary workers in the External Workforce Management system. Both systems can be connected to the IAM and access can be controlled in this way. For example, the cleaner is not directly employed by the company, but still needs access rights to many rooms.
- Locations: It is also important to consider the legal entities. Depending on the country where the site is located and the corporate form the company is subject to, there are different requirements. You need to consider the data protection agreement between countries, as well as termination rights, taxes, salaries and access rights. Here, different rules must be followed depending on the country.
- Cost & Benefit Factor: If the number of employees exceeds 2000, it is usually worthwhile to use manual processes for IAM. However, there are also exceptions for certain areas, e.g., areas that are subject to special or many regulations.
- Privacy: Protected information may only be accessible to employees who can demonstrate authorized data access. Here again, the need-to-know principle must be applied. Gender-appropriate master data maintenance also needs to be considered. Is it absolutely necessary to make the gender of an employee visible? Is it even necessary to store a form of address in some systems?
- Workflows: Work processes, such as onboarding, can be established in the IAM. These stored work processes are standardized and automated. This allows time to be used more efficiently and dynamically. Once the HR system is connected to the IAM, it can send information about new employees to the IAM. In the IAM, necessary accesses are stored and approved for the new employees. Department changes and rights withdrawals can also be automated via the IAM. In addition, a grace period can be set in the IAM, which is a waiting period/blocking period to make the transition smoother in the event of a department change and to give the employee the opportunity to still finish a work order. With the help of the IAM, the trainee problem can also be avoided. Employees can no longer accumulate rights and security and privacy policies can be better met.
- Legal Requirements: Everyone knows it: The EU General Data Protection Regulation (GDPR). You have to comply with this and possibly others in any case. Depending on the countries in which the company locations are located, other regulations apply. You must consider exactly what data is processed for what purpose and only the necessary personal information may be collected. In addition, data storage and the stored data must be maintained. A properly implemented IAM will also help you with an audit and ISO certification.
- Data quality: The master data quality and the correctness of the master data are important. The data to be further processed must always be up-to-date and correct. Here, close cooperation with HR and external workforce is required. Only if the nature of the collected master data as well as its use for controlling is clear, can an IAM with automated processes score
We help you
You realize that there is a lot to think about and the introduction is not as easy as you might have thought at the beginning. We are here for you and support and advise you on all the issues that concern you. So, feel free to come to us and we will help you out of the vortex of questions and bring you on the safe IAM island :-)!