Ian Glazer

As a part of its data center consolidation efforts, HP is going to be letting going 9000 IT workers. As this Computerworld article points out, although not confirmed, it highly likely that at least some of these terminated employees are system administrators. And as those admins walk out the door so too will walk an understand of how applications actually work and what the entitlements in them actually do. The loss of this kind of institutional knowledge will make it harder for compliance teams at HP to answer the question, “who has access to what.”

I am just wrapping up some research on how enterprises gather and catalog entitlements. With a decent entitlement management process in place, understanding what an entitlement grants in an application is next to impossible. Why? Because the people who know what permissions an entitlement grants, keep this information in their heads. And when they leave the enterprise, so too does that knowledge.

From there, the management of access becomes an exercise in cargo cult IdM. You start to see a lot of “model after” access (mis)management. You get a lot of wasted effort trying to figure out which dataset a group provides access to in the midst of a compliance exercise.

Without a means of capturing the meaning of entitlements enterprises put themselves at risk. Letting go a of a huge number of system administrators, who likely have some crucial understanding of what their systems’ entitlements do, compounds that risk.

2 Comments »

Category: Identity and Access Governance     Tags: access certification, entitlement management, iag, Provisioning, role management

Share

Tweet