I am very sad to announce the death of one that many have held very dear to their heart – the IT Access Request Form. I never thought I’d be eulogizing such an integral part of my corporate life, but its day has come – and it’s time to move on.
You see, for many years, IT acted as both keymaster and gatekeeper for the systems it supported. The user was all but powerless – and the only appeal that could be made was through the infamous “IT Access Request Form.”
Like a wishing well, the user would close their eyes tightly and toss their request into the ether – relying solely on faith – that their wish would be fulfilled.
And sometimes it would.
Other times however, without response, the request would go completely unanswered. Was it ignored? Lost? Forgotten?
*clutches pearls* … Denied?
With such a nebulous and uncontrollable process, no one should truly be sad to see it go.
Here are a few of the many the reasons why the IT Access Request Form deserves its timely demise:
- It is difficult to get a request fulfilled quickly. With only a select few capable of pushing the right buttons, the process easily breaks down through lack of availability, duration of the vetting process, or by getting buried underneath a stack of higher-priority requests.
- Once access is granted, the service technician is 100% completed with his or her responsibility. The onus is then on the business owner to keep tabs on who does or doesn’t have access. When the business owner switches roles, history is all but lost.
- In order for access to be changed, another form must be processed. This often introduces a privilege overlap, where a user has more access than they should for an unnecessary period of time.
So, what happens when users are faced with a challenging process? Bingo! They start sharing accounts to get access to the things they need quickly. Requestors start asking for more privileges than they need to save on paperwork in the future. Deactivation gets deferred (or worse – skipped) and users keep access they shouldn’t have – which, is kind of a big deal.
This all adds up to a situation that makes our systems harder to maintain and less secure.
While any of these issues should be considered a major risk, the cause of death is not fully known. However, the post-mortem has revealed the following:
- Companies have figured out that the business owners should administer their own access. There’s no need to wait – given the right tools and authority, an owner should be able to manage their own system’s access.
- IAM solutions started providing mechanisms to audit and analyze who can access (and has accessed) their secure systems.
- Automation and integration have allowed for business owners to know when a user:
- Leaves the company
- Switches departments, roles or titles
- Goes on extended leave
- Has a combination of roles that would be considered “high risk” to sensitive corporate data
Fair warning: If you are still using this practice in your company – it’s going to start to smell. It’s time to welcome the new Identity and Access Management best practices into your life.
Don’t worry – you’ll still have the memories … for better or worse.