The importance of secure identity and access management solutions to enterprises today is well recognised. Therefore it is relatively simple for organisations to ensure that employee access to the company premises or even to specific technical systems is properly governed.
However, despite this, the question remains as to what the business can do about non-employees of any kind who may require access. After all, most large enterprises find that at any given time, there are multiple non-staff members that have access to the company’s systems, not to mention offices.
However, as non-employees, it is far more difficult for the business to securely manage their identities, creating a much larger risk of exposure. This is because the non-employee effectively becomes an insider within your organisation, and yet they are not managed with the same stringencies the business would apply to its own personnel.
This is particularly worrisome when you take into account the fact that it is acknowledged that as far as security challenges go, the internal threat is far greater than the threat from outside. For this reason, it is not unreasonable to expect external parties to have their identities managed in a manner that is commensurate with the levels of access and privilege they receive. The question is, how does an enterprise ensure that this is done properly?
Inobits provides the answer, with its unique x-Registration System
Employing xRS provides an enterprise with a registration solution that serves as the single source of truth for all non-staff identities. In other words, everyone who requires access to the corporate premises and internal systems can be registered using this solution, without having to go through an arduous human resources process.
Moreover, xRS provides a single, authoritative source not only for non-permanent staff, contractors, vendors and visitors, it also does the same for those service accounts that govern machine-tomachine interactions.
What makes xRS different?
Inobits has designed the xRS solution to enable the simple, easy and secure registration and deregistration of non-staff access to premises, systems and other security-sensitive areas of the business.
When needing to register and manage Supply Chain Identities, xRS is the only tool available to do so successfully and in a compliant manner. Such management incorporates all aspects of a contract, including the start and end dates of agreements.
In addition, xRS is designed to ensure that access is granted to the right people at the right time, and that such access is also taken away when a contract has expired or been terminated. This system is ideal for also verifying whether specific contractors are actually still ‘active’.
Moreover, the solution is equally adept at managing access to service accounts, provides complete audit trails and as such is fully compliant with existing privacy legislation.
What makes xRS indispensible to organisations is the fact that it allows an executive to have a real-time snapshot of their contracting environment, allowing them to manage it accordingly. And being electronic in nature, it allows administrators to move away from the traditional siloed approach – typically utilising spreadsheets – of managing Supply Chain Identities and other visitors to the company and instead adopt a more efficient, effective and compliant method of doing so.
Supply Chain Identities
Supply Chain Identities are the identities of the multitude of vendors, suppliers and contracts that form part of an organisation’s operating arrangements. This includes engagements with other companies that may provide people as part of these arrangements, and encompasses contractors, external workers and day visitors.
For the management of these various external identities, xRS provides the ideal solution, as it offers a standardised repository for identity information across all supply chain partners and across all organisational business units.
This type of management is crucial, since such Supply Chain Identities are almost never managed by HR, Payroll or Time and Attendance solutions. This is usually due to the fact that the arrangement is through a supply chain agreement, as opposed to an internally managed staff-based management system like an enterprise resource planning solution (ERP).
So why, then, is this type of management considered so crucial? It is the simple fact that once these Supply Chain Identities are managed as comprehensively as the internal staff, it allows the enterprise to become that much more mature from a compliance, security and automation perspective.
Furthermore, xRS becomes an enabler for additional projects, such as the automatic provisioning and de-provisioning of Supply Chain Identities, based on the start and end dates of the relevant supply chain agreements. Critically, xRS can also facilitate the timely re-verification of the existence of these Supply Chain Identities.
The proper and correct management of the company’s Supply Chain Identities therefore means effectively managing, and thereby reducing, the potential risk of exposing non-authorised identities to key business systems.
Visitors: daily and delegates
Recently promulgated legislation means that corporates need to be more cautious with visitor information. Although such information is required for legal purposes, the protection of personal information (POPI) Bill stipulates firstly that organisations cannot collect information that is not going to be reused and secondly that any sensitive information that is collected needs to be properly protected.
With the traditional visitors’ book, commonly used at most enterprises, all visitors entering their personal information into the book system have access to all the previous visitors’ information as well. To overcome this problem, the xRS system has been designed to electronically and securely replace the physical visitors’ book.
Moreover, it is designed to integrate with identity management software and the enterprise service business. Furthermore, the engagement template is customisable, allowing lists of attributes to be set, as well as approval paths and notification templates. Rules can also be set regarding which attributes are editable and when, as well as rules governing who can see which attributes.
Finally, Excel-based reports of all engagements can be obtained by the relevant department, while additional reports can easily be created in Reporting Services.
There is no doubt that the POPI legislation is going to cause multiple headaches within enterprises. While there is no single silver bullet to solve all these compliancy issues, utilising xRS will at least mean that the issues around visitor information will be POPI complaint.
IT Resources: service accounts, groups and entitlements
There are numerous machine-to-machine interactions that are governed by service accounts, which enable these systems to function correctly. These service accounts are a standard part of the installation process for operating systems, databases and applications. They are utilised by system administrators to perform their jobs, by granting them special system privileges.
The problem lies in the fact that privileged accounts generally have very little accountability, since they do not belong to an individual user, instead being shared by a range of administrative employees. Moreover, since these accounts have elevated access rights, they enable those with access to bypass internal controls, which in turn could enable such users to breach confidential information, change transactions and destroy audited data.
However, although identity management and access governance has matured to the point where these technologies enable businesses to effectively manage their people risk, the trouble with privileged and service accounts is that they are not linked to people.
The simple answer to this challenge, then, is to link these service accounts to people. The xRS system can not only keep track of exactly who has permissions to access these accounts, but is able to create a complete audit trail, as well as determining who the owner of this particular service account is and linking it directly to this individual.
In addition, the xRS solution can be used to change the password at regular intervals, to something no human would know, and to then store this centrally, checking the password out to a user only when it is required.
xRS case study
Stellenbosch University boosts identity management with xRS
The University of Stellenbosch is one of the oldest tertiary education institutions in South Africa, boasting a total of ten faculties spread over five campuses. By the beginning of 2013, the university had a student population of some 28 000, including more than 3 000 foreign learners, a lecturing staff complement of nearly 1 000 and some 50 research and service divisions.
Controlling the identity management aspects of such a large body of people is obviously not easy, particularly when one takes into account the many and varied non-affiliated people who may be on campus at any one time. Such individuals include part-time students, visiting professors, guest lecturers and any number of civil, building and IT contractors who may have been commissioned to do a specific job on-campus.
Although the university utilises a student management system for controlling full-time learners, as well as an HR system for managing its paid employees, these are legacy systems that have been in use for many years. Furthermore, says Andrew Whittaker, Ubusha Solutions Architect and Business Analyst, these systems are entirely internally-focused – the university has no way of managing visitors, guests or external contractors in any way.
“Stellenbosch turned to Ubusha to assist it in solving the challenge of how to effectively identify, manage and control access for those people that are not students or employees, and therefore are not managed by the existing systems. We understand the importance of ensuring that external parties have their identities managed in a manner that is commensurate with the levels of access and privilege they receive, which is why we recommended our partner, inobits’ unique x-Registration System (xRS),” he says.
“Employing xRS provides the university with a registration solution that serves as the single source of truth for all non-staff identities. In other words, everyone who requires access to the premises and internal systems can be registered using this solution, without having to go through an arduous human resources process.”
The xRS solution, he adds, spoke to all three core issues the university was seeking to solve, namely the need to identify, control and manage access for all people related to the university. Following its implementation, the xRS solution was able to enable the simple, easy and secure registration and deregistration of non-staff access to premises, systems and other security-sensitive areas of the business.
“What makes xRS so successful is that it is designed to ensure that access is granted to the right people at the right time, and that such access is also taken away when a contract has expired or been terminated. The system is also ideal for verifying whether specific individuals – be they contractors working on a building or visiting professors – are actually still ‘active’.”
Whittaker points out that the initial scope of the project for which Ubusha and Inobits were commissioned was actually quite different. However, once the university witnessed the value the xRS solution offers, it actually altered the project scope.
“What makes xRS so useful is that one can not only register an identity, one can also provide a key for this identity. Then, one is able to specify an engagement which links this identity to a particular role in a particular area of the institution. This, in turn, is then linked to a sponsor, who approves the start and end dates of the specified role.”
“This is particularly important in relation to new legislation such as the Protection of Personal Information (POPI) Act, since organisations are only meant to gather a certain amount of information about what the person is doing at the institution. Furthermore, they are only allowed to keep such information while it remains relevant.”
Since xRS can do both the gathering and the deletion of such information automatically, suggests Whittaker, it is ideal for complying with the new legislation.
“Stellenbosch University is a very mature entity in an IT context, and the adoption of xRS continues this trend, as it means they are now not only able to effectively manage the student and employees that make up around 60% of the people on campus, but also the other 40% that traditionally fall outside of this ambit,” he concludes.