Do you know who has access to your most sensitive data?

What if access to our online bank accounts was managed the same way we manage access to information systems at work? Would we know who can get into our accounts? Who could see how much we have in what accounts? Who could take money out? Who could authorize other transactions? We probably would be much more careful about who has access and what they are cleared to do.

Many companies, however, still don't do a good job of governing the identity and access to systems that contain information just as important and sensitive to their organizations as our bank accounts are to us. According to Diana Kelley, executive security advisor at IBM Security, companies need to do a better job of identity governance and getting a handle on what individuals have access to just the information they need. She says roles need to be clearly defined and access limited to the data they need to do their jobs.

She also says companies need to get better tools to help them do the job of limiting access only to those that need it and managing who has access to what. Many companies, she says, can't answer the question of who can access what systems and if they truly need to or not.

One of the problems is the massive proliferation of identities and the growing complexity of systems. Those are our many log-ins, passwords, and accounts for the many applications, mobile devices, social media accounts and other systems we have access to. "There's so much data out there and too many identities to all the apps we log into and the number of passwords we have," says Kelley. he says the complexity is compounded when you consider the third parties and services providers that may also have access to our systems. "There's no way we could manage all of that manually," she adds.


According to Kelley, limiting access isn't a matter of trusting employees. She says most employees have no bad intentions but could have their accounts compromised by those outside the organization or even co-workers who do have bad intentions. For example, she doesn't recommend giving the CEO and others in the C-Suite access to all the information in the organization, as many companies do. As Kelley points out, senior executives are often the ones targeted with phishing scams and social engineering campaigns to gain access to their accounts.

A good identity governance system can help companies balance ease of use with controls and security. "You need to manage the risks, provide security, and balance it with compliance," she says. Another example Kelley gives is when employees are moved into new roles but still have access to the systems they needed for their old roles. "It's a snowball effect," she says. "They never have access taken away, just added."

Kelley says that good identity governance practices can help give companies more intelligence about who should be accessing what. It can also provide more analysis and reporting so that managers can see in an easy way if there is unauthorized access to data. And that can go a long way to helping companies protect that data.