Can You Prevent Access Risks Before They Happen?
Authored by Alex Gambill
Preventing access risks is like building defenses for a castle. There are ramparts that form a perimeter and a moat to deter invaders because it’s a lot easier to keep enemies out than to remove them once they’re in. Trying to rid a system of risks after threats have been detected is analogous to building a moat around a castle after the enemy is inside.
We can think of identity security as the moat that forces users through a checkpoint that controls entry. User identification is the most relevant security safeguard, but unseen risks could also be present. For example, conflicting access permissions could lead to serious violations later if not initially identified. This is why access provisioning is the first – and most important – step in risk prevention, especially when it involves business and ERP systems that are the lifeblood of an organization.
To ensure that access risks are prevented before access is granted the SailPoint Identity Security Platform now provides preventive risk simulation. With the integration of SailPoint Access Risk Management (ARM) organizations can perform a “what-if” separation-of-duties (SoD) analysis as a part of the user access request process. Organizations now have the ability to stop risks before they start by simulating risks for any user — before access is provisioned.
By incorporating this important access risk simulation and analysis into the provision workflow organizations can ensure that this critical step is not missed. It also speeds up and instills greater confidence that access is always appropriate and compliant, which is not achievable with manual analysis.
The integration also provides a deeper level of separation-of-duties (SoD) visibility, which is critical for managing complex systems. In SAP, for example, users are assigned roles via access to transaction codes that control each screen they can view. There are also authorization objects that control what a user can do on every part of that screen. But without an understanding of risks down to this granular level, it’s impossible to get a full and accurate picture of all access and potential risks.
Simulated risk analysis during provisioning can also help prevent “privilege creep,” which is where access rights inadvertently accumulate over time as employees are promoted, change job responsibilities, or are re-assigned. The failure to remove previous access rights before granting new permissions is a major contributor to so-called bloated access. Having too much access (i.e., the lack of SoD) can set up potential conflicts of interest and ultimately make it easier for users to commit fraud. This is why the ability to perform risk simulation at the time of provisioning allows companies to make better, more risk-aware approval decisions.
Now is the time to build that moat around your most critical business and ERP systems, and take the next step to prevent risks from invading your organization. By automating risk simulation within the provisioning workflow, you can simultaneously decrease risks and reduce the time it takes to provision users — two key objectives of identity security and access management.
Learn more about how you can predict SoD access risks and simplify GRC with SailPoint Access Risk Management.