Ensuring compliance and improving IT security are not the only benefits for organizations that adhere to the information security standards and regulations pertaining to access and identity control outlined in e.g. ISO27002, and in the EU GDPR.
By Santeri Kangas, Omada CTO
Standards and regulations on identity and access management require organizations to keep a tight ship, when it comes to end-user provisioning. Allocating access rights and privileges when onboarding and off-boarding employees and contractors, and updating existing users’ rights, is – quite rightly – considered a key discipline in protecting data, users, customers and the business, from the consequences of data leaks and hacks.
From a security and compliance perspective, it is paramount to have full and updated visibility and control of who has access to data, applications and systems. With visibility and control, the organization is able to respond appropriately to security risks and incidents, prioritize remediation and mitigation efforts, and document and understand the actual state of access rights.
Keeping track and controlling access to data, systems and applications cannot be done manually, in today’s digitized business environments – it requires automated identity management and access governance tools to continuously provision users with the rights and privileges they need (or no longer need) to do their jobs.
The upside is, that while regulatory compliance and security concerns continue to drive many user-provisioning implementations, there are large efficiency and cost-saving benefits to be had, too, from automated provisioning:
Less software over-spending and true-up penalties with efficient provisioning
Where provisioning of rights and licenses can happen instantly, as it can in organizations that have a well-oiled identity and access management machine in place, no more than exactly the right amount of people will be using software to match the licenses held by the company, at any given time.
When the organization strikes a perfect balance in ensuring that just the relevant people are provided with no more than the software licenses they are entitled to, and need, in order to do their jobs, the organization wins on two fronts:
- Over-spending is minimized – the organization always has a full and updated overview of users and software licenses in use. Software license overspending on “shelfware” – unused licenses – represents a large chunk of a company’s software spend.
- License compliance is also made more efficient and cheaper – large software vendors’ costly and time-consuming practice of auditing customers of all sizes for software license compliance is something most organizations dread.
The audit fees and ‘true-up’ penalties organizations incur for unlicensed over-usage of the vendor’s software, can be notably reduced if the organization has continuous and full visibility to the amount of users of a specific piece of software, and is able to document usage to the software vendor.
The 2016 report “The State of the (Software) Estate” from software asset management leaders Flexera Software documents that that most organizations are unnecessarily wasting significant portions – as much as 25 percent – of their enterprise software budget. So looking for ways to optimize user provisioning and software licensing is a good place to start, for organizations who want to spend a little less.
Higher degree of accuracy with fewer resources
Through automated identity management, it is possible to achieve a far higher degree of accuracy and agility in software licensing processes, remove redundant practices, reduce human error, and improve the relevance and diligence of company IT procedures and policies.
Automation reduces the time-consuming and resource-intensive processes related to access to IT systems, and through business-enabling processes that facilitate and provide user provisioning and administration according to company policy, it is possible to streamline management of software licenses, and improve documentation.
By ensuring current and valid approval of all users, accounts, and access across any system – outsourced or self-managed, on premise, hosted, or in the cloud – compliance with security standards for access control is achieved.
Plus, you’ll save a pretty penny, too!
If you have questions or comments, feel free to drop me a line.
About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises.