What is the law?
The recent new European GDPR has prompted many businesses to move forward in the field of IT security. There has been a downright boost of innovation. One topic that is prevalent among the numerous measures that need to be taken, is user and permission management.
Access control is about preventing unauthorized access to IT systems outside the scope of authorizations which are actually necessary. This means that companies must ensure that employees only have those access rights within an IT system which they actually need in order to perform their current job tasks.
In addition, the standard also requires transparency with regard to the process of assigning these access rights itself: It is necessary to separate the responsibility for permission approvals (issued by the respective department heads) and for the actual assigning of permissions (i.e. the technical implementation of assigning permissions, which is performed by the IT department). Also, each process must be documented in a transparent and seamless fashion.
tenfold’s greatest values as a management platform include its ability to store project responsibilities centrally, its ability to automate implementation processes on a technical level and, furthermore, its ability to control and document workflows. Integration is key here – IT security can only be sustainably improved if a clean, error-free initial state is given and if all involved persons and systems are then interconnected. Read on to find out why permission management integration is so important.
Integrating HR to guarantee process quality
Many changes performed to user accounts or permissions are the result of an organizational, staff-related change. When a new employee joins the company, they will be given different user accounts and assigned certain permissions. Whenever an employee changes jobs and moves to a different department within the company, their permissions will be changed and their existing user accounts will be deactivated, while new appropriate user accounts are created. When an employee leaves the company for good, all related user accounts must be deleted, and any data must be archived.
The first department to become aware of these changes is the human resources department. This is where contracts are signed or dissolved and where all further business processes are set in motion. It is therefore imperative for the IT department to base all user management related actions on these very processes. Often, this is achieved through informal e-mails or tickets passed from HR to the IT department – meaning there is space for error in terms of reliability and data quality; These processes will often trigger a string of further queries and uncertainties and the error quota is thus accordingly high – it is not rare for a new person to join a company and begin his or her first day without any IT access rights at all; And when someone resigns and leaves the company, the error potential is even greater: Orphaned accounts and accumulated access rights and permissions are left behind – posing a security risk which may even go unnoticed for several years. The right approach and the right tool for permission management integration can provide a solution here.
tenfold can significantly help to improve all of these processes by actively involving the HR department – in the spirit of the platform concept. For smaller businesses with less fluctuation, tenfold provides the HR department with a form used for registering, re-registering and unregistering employees. The form and any downstream processes can be adapted to specific requirements.
In medium-sized and large businesses, tenfold is directly connected to the HR system – the tenfold Import Plugin automatically recognizes and processes new employees, as well as any changes made to HR data. This means that any new user accounts, mailboxes and other resources will thus be automatically created or updated with the new data.
Advantages of HR-Integration with tenfold:
- Tenfold automatically recognizes new employees and creates the relevant accounts, thereby reducing the workload for the administrator.
- It recognizes data changes, which triggers accounts to be updated automatically. Permissions are also adjusted automatically, which means that they do not recklessly accumulate during the period of employment.
- A person leaving the company (be it resignation, dismissal or death) is also reliably recognized and processed, thereby preventing orphaned accounts (“file corpses”) from happening. By closing this frequently used gateway, IT security is sustainably improved.
Mandatory: Active Directory + file servers
The focus at the beginning of a project often lies on Active Directory permissions, followed by permissions to file servers and for Exchange. This is important, of course, since the file servers contain important Excel evaluations or documents that are worth protecting. However, reports whose data originally came from ERP or CRM systems must not be neglected either, as the roles set in these systems do not apply for file servers; file servers adhere to an entirely different permission concept.
Before tenfold can be applied effectively as a permission management software, it is necessary to analyze and clean up the evolved structures on the file server. Berlin-based company aikux.com GmbH have developed a software called migRaven, which is our number one tool of choice for preparing the introduction of tenfold. migRaven will transform any chaos into a technically and content-wise clean structure.
During day-to-day business operation, however, you will most definitely encounter yet another problem: separating responsibilities. While only the IT department is able to carry out the actual permission changes, the data owners are in charge of deciding whether a permission will be approved or disapproved in the first place. Acting as a management platform, tenfold brings together both departments in one system and controls the workflow.
Advantages of Active Directory and file server integration:
- Analysis and cleansing of permissions and data by migRaven as necessary prerequisites for a clean implementation of tenfold
- Transparent and easy reporting („Who has access to which directories?“) for file servers, Exchange and SharePoint.
- Automatic implementation of recommended procedurew (Microsoft Best Practices) for assigning permissions.
- Management of parties responsible for directories and their integration into the approval workflow.
Essential data – often neglected
Even though Active Directory always serves as the basis for any IT infrastructure and therefore requires a lot of protection, the fact that a lot – if not most – important data may be located in other systems is often neglected. For instance:
- ERP: Financial data, prices, orders, etc.
- HR: Private data about employees, salaries, etc.
- CRM: Personal customer data, important sales data, etc.
Also consider these industry-specific examples:
- Manufacturing industry – MES: Orders, performance data, etc.
- Health care – KIS: Personal patient data, patient history, etc.
- Public sector – E-GOV: Personal data on citizens, official procedures, etc.
Where permission assignment and the transparency of processes are concerned, the same rules and requirements apply to the systems mentioned above as for Active Directory. tenfold serves as the platform for this purpose and ensures that the correct permissions will reliably be assigned to the corresponding persons and that, by using the relevant workflows, responsibilities will be clearly separated and appropriately documented.
Advantages of vertical integration of tenfold:
- Many applications can be integrated out-of-the-box via plugins. This eliminates additional manual tasks for the administrator, such as having to create multiple user accounts.
- A system-independent approach also allows the integration of applications and systems that are not directly supported. Nevertheless, tenfold is still able to visualize the majority of the workflows involved.
- tenfold facilitates the transparent documentation of all changes for all systems and applications.
So much for why integration is the central key to success in permission management.
This article might also interest you:
How to incorporate SAP into the tenfold permission management solution