Identity management allows administrators to control what resources a given user can access in Office 365. Users’ O365 privileges must be kept in line with the specific tasks they need to carry out without allowing them access to any more resources than they need for the sake of maintaining security and compliance. Moreover, because both users and the resources they access change over time, identity management must be maintained indefinitely.
For example, when an employee is first brought into an organization, they are given user credentials to access Office 365 resources. In addition to those credentials, the user is also assigned specific permissions that will allow him or her to access specific resources and third-party applications within O365.
But the story doesn’t end there. If that same employee later changes departments, they will need access to new resources, and the user profile will need to be updated to reflect this. Likewise, there will probably be resources that this same employee shouldn’t be able to access anymore, and changes to that user’s identity will need to be made to reflect this as well.
When identity management is carried out well, an organization benefits in the sense that there are fewer opportunities for security breaches and fewer compliance issues uncovered during various audits.
Today, we’ll look at several approaches to managing identity controls that will further your organization’s identity control capabilities.
Identity management has historically been folded into an organization’s centrally-controlled network; however, as organizations move either portions of their resources – as we see in hybrid deployments of Office 365 – or the totality of their O365 deployments to the cloud, there is an increasing need to manage users’ identities independently of the network itself.
This is, in part, because of how internal users and guests can collaborate in O365, and it is also because of the increase in the use of third-party applications and the use of personal devices to access the larger system – all of which require granular control of what users can access and do throughout the O365 system.
Identity control drift is the idea that over time, a user identity in O365 can become less and less representative of what a given employee needs access to perform his or her work duties. This gradually increasing misalignment can happen for a variety of reasons.
And, of course, this isn’t a one-time event. Identity drift can result from other changes over time as well. Employees change departments, and guest access to organizational resources is granted as needed, but when these changes occur without the oversight required to maintain accurate identity controls over time, identity drift is sure to follow.
Having too many administrators can be an indicator that your organization needs to refine its identity management policies and practices. If you find that more than a small portion of your users have administrative privileges, it may be an indication that admin rights are not being removed after having been granted temporarily for a finite task.
When identity management rules incorporate data that is not stored directly in Azure AD, such as HR records, you may find that user identities drift over time, as it can be difficult to automate the upkeep of identity management data points as employees shift from one department to the next or take on new roles within the organization.
When an O365 group is tied to an entire department, accidental or unnecessary access may be granted to group members if that group is used to define additional access rules. For example, if OneDrive access is governed by a rule based on department membership, and that same rule is used to grant access to a new, third-party application, you may find that more employees have ultimately been granted permission than needed.
With CoreView, you can set up specific monitoring rules that will alert IT when a problem arises. This ability extends to include identity management, and it offers a simple, actionable solution to each of the above scenarios.
This means that unlike Microsoft’s native solutions to identity management, you can build identity management rules into your CoreView experience that constantly monitor for specific elements related to identity drift, and rather than having these elements raise red flags during an audit, you can rest assured that even when an identity rule isn’t immediately updated by your IT team, it will be caught and cleaned up by your automated, internal monitoring systems set up in CoreView.
Identity management is an ongoing process that only begins when a new user is added to M365. Users’ identities need to be kept up to date to assure that any new access rules that are created based on user identity are being applied effectively and accurately. Identity drift happens when incremental changes to user identities are not proactively captured in the M365 data store, which can result in unnecessary privileges being granted to users who don’t need them, and this constitutes a security concern.
CoreView makes it simple to automate the identity management process, so that even when IT staff don’t immediately update a given user’s identity after a change in his or her position or department – or any other similar situation – automated processes will find the error and report it to IT staff to review, or simply correct the problem as needed.