A new approach to identity and access management governance: Governance with accountability
This had led to an identity and access management (IAM) overload. Escalating security and privacy concerns along with a renewed focus on corporate oversight are driving governance, risk management and compliance (GRC) to the forefront. To effectively meet GRC requirements, organizations must prove they have strong and consistent controls over who has access to critical applications and data.
The market for IAM governance is fragmented, however, with point products for access certification, separation of duties, role management, entitlement management and privileged identity management that do not holistically address fundamental IAM governance requirements, including:
1. Sharing the right information, at the right time, with the right people, for the right purpose.
2. Applying policies and regulations to business operations.
3. Accessing critical processes, information systems and data that should be managed as foundational risk management controls.
4. Understanding the level of access users have to services, applications and data. Ensuring and documenting user access for valid business reasons and preventing separation-of-duty conflicts.
5. Defining and managing governance over physical and logical access rights, including a certification process that ensures valid user access and access revocation when needed.
6. Deploying governance with accountability, manageability, sustainability and reporting to business and IT owners while allowing delegation.
7. Leveraging a systematic IT architecture and platform to enforce policy as designed and making a feedback loop available so both business and IT understand the results of continuous compliance in the broader risk management strategy.
Certification helps establish a continued review of users, roles and associated entitlements. Though these address IAM governance requirements One through Three, access certification products are incomplete when they define access as an account on a server or group membership on an application, but do not properly configure or enforce the native access control policy on the server or application.
Separation of duties
Standalone separation-of-duties products may deliver robust policy constraints at a transaction level, but are insufficient, as they predominantly focus on ERP application roles. Though they address identity governance requirement Five, they typically only deliver controls at the role and group levels and assume that users assigned to a group represent an entitlement. That assumption is not always valid. Delivering business context to separation of duties is a better practice.
Many role management products provide substantial value in modeling and operational management. They may partially address client identity governance requirements One through Five, but fail to address underlying identity associations — through roles — to applications and data that determine how governance is managed.
Organizations should consider a holistic approach to IAM governance that meets the requirements of discovering, documenting and analyzing user access; establishing a process for user access governance; ensuring that constraints help manage business conflict; enforcing policies; and continuous monitoring. A policy-driven approach to manage people, applications and data provides the consistency and breadth needed for IAM governance.
People, identity attributes and associated roles provide critical links between the business and processes that deliver organizational visibility, control and automation. Applications and associated roles provide important entitlement links to users, so they can work through appropriate access to systems and information.
To help execute this holistic approach to IAM governance, organizations should consider a multi-step, closed-loop process that includes plan, model, implement, manage and monitor.
The first step in IAM governance is establishing agreed-upon business objectives and priorities, including executive sponsorship. Then the organization should perform an internal process and data discovery assessment and examine the processes for bringing users into and out of the organization.
At this stage, an organization should have the foundation of application, data, job and business process information needed to engineer and model a role structure. A good guideline is to have 70-80 percent of entitlements covered by roles.
Organizations should determine how they want to map candidate business roles to candidate application roles, and then analyze data for common authorization sets. Application and business roles should be separate, so a single technical change does not require a change to the entire role structure.
Role and policy assignment ties users to roles and policies while also designating role and policy owners. The implementation step includes controls around user assignment, as well as integration with user provisioning solutions, applications and systems. Complementing policy management is policy enforcement, including checks and balances in business processes and run-time enforcement in the infrastructure.
Once an organization starts operational management, change control processes help ensure proper change governance for organizational role and policy structure. Approval and recertification policies deliver change control at the user, role and entitlement levels, which can be managed with little business impact. Entitlement enforcement is critical—not just associating user or role membership with a group on an application—but also run-time, predefined policy enforcement.
Ongoing monitoring, auditing and reporting provide organizations with two key benefits. First, key IAM governance reports enable organizations to meet audit requirements for external regulatory mandates and internal corporate security policies.
Second, user compliance auditing and monitoring deliver a litmus test on the organizational role and entitlement structure: Does the role structure align with what users are doing with their access? This critical link creates a feedback loop into role definitions, policies and ongoing change control.
IAM governance and accountability
Typical IAM governance products deliver value but are incomplete. As organizations seek to administer, secure and monitor user access to resources, they should consider a policy-based approach to managing people, applications and data.