Rules and policies vs. actual practice

* Survey finds 1 out of 3 people have wrong rights assignments

Last week, I told you that Sun's Vice President of Identity, Sara Gates, was ebullient. We're going to have to add "peripatetic" to that description because it seems she's popping up everywhere I look these days. Case in point: the latest issue of Sarbanes-Oxley Compliance Journal (see link below), where she tries to drum into compliance managers just how much easier their lives would be with a good identity management system in place.

She writes: "There are a number of technologies that can streamline your compliance effort so that your company remains compliant without incurring burdensome recurring costs. One such technology is identity management, which can help to establish repeatable, sustainable, cost-effective processes that respond quickly to organizational changes, enable continuous compliance and security, and create auditable histories of who had access to what information."

The points she makes are perfectly valid, even if they're also in line with Sun's latest push of electronic provisioning services. The sad fact is that there are still quite a few people out there - those faced with implementing strict regulatory compliance measures and could be jailed if they fail - who don't understand the benefit of identity management systems.

Eurikify's CEO, Avi Cohen, recently shared with me some numbers his organization has collected as it implements its role-based identity management programs in organizations of all sizes. (Read more about the Sage line of offerings from Eurikify at its Web site,

After drawing up rules and policies for an organization then comparing that to the organization's actual practice or current implementation, Eurikify found that almost 1 out of 3 people have "out of pattern" (i.e., wrong) rights assignments (~ 32%), which equates to 38% of the organization's resources being used by these "out of pattern" users.

While not as pressing immediately, 1 in 3 (33%) have redundant or parallel access rights. Not an immediate problem, but it could be trouble when the person leaves the organization. Often, removing one access right gives us the false sense that there's no other access right, but these redundant and parallel rights prove otherwise.

Eurikify also found a whopping 66% of people with access rights that bypass groups while another 25% are listed in overlapping or redundant groups. While it isn't necessary to assign rights completely via roles or groups (for a personal folder, for example), this practice can get out of hand when someone needs to access a resource quickly and temporarily - ever notice how often "temporary" becomes "forever"?

The most troubling stat Eurikify found, at least to me, is that roughly 30% of accounts are "orphans" - no longer used, no longer needed but lurking, waiting to be the entry point for a security breach.

Role-based access linked with all-encompassing electronic provisioning is still the best way, the most cost-effective way, to ensure a good night's sleep in your own bed and not at the graybar hotel.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022