What are the driving factors to justify the investment of resource in this topic?
• Time consuming effort to demonstrate regulatory compliance, particularly for data security and personal information protection
• Discord between business requirements and system administrator’s ability to update legacy user permissions
• Growing list of username/password combinations for staff, with repeat requests to reset passwords or simply taking more time to access business information
• Internal auditors flagging excessive access rights for legacy roles, or privilege access assigned to staff who no longer work in the company
The objective of robust Access Management is to enable the right individuals to access the right resources, at the right times, from the right environment, and for the right reasons. Access Management though can only be controlled when there is also management of user identities, for it is the associate identity that is being granted privileged access rights. This is what is referred to as Identity and Access Management (IdAM).
For a more wordy definition: Identity and Access Management (IdAM) is the set of business processes, technologies, and policies for the creation, maintenance, termination, and use of digital identities for people, systems, and services, and for controlling how these digital identities are used to access resources such as information, applications, or systems.
In summary, this refers to the unified account provisioning, role-management, fine-grained security, and password management for your enterprise information assets.
What is the problem?
IT Security can be rendered more complex and convoluted with the sprawl of multiple systems, services, and applications – which is likely to result in varying user identities and different levels of access. This, in turn, can require users to authenticate multiple times when accessing each resource, and there is a need to validate each request and to create an auditable log of both valid and invalid access attempts, together with consistent policy enforcement + updating policy across these systems. Whilst this can be a source of frustration for the end-user, sapping time and hindering work tasks, it also has strong implications on enterprise governance, risk management, and compliance. The monitoring and capturing of identity and access information adds cost to the ownership of digital identities, and complicates the reporting for audit and compliance purposes.
How does this play into smarter Enterprise Governance?
Clearly, digital identities and access rights falls within the domain of IT Security. There are fundamental IT security requirements to determine who the system users are, and to validate what resources they can access. However, there is a bigger story at play – as user identities and access rights must conform to your enterprise governance policy. As such, IdAM is an important pillar for the governance framework, and the implementation of IdAM serves to reduce enterprise risk as well as lower operational costs – whilst also delivering regulatory compliance. This can be referred to as IT Governance, Risk Management, and Compliance (Enterprise IT GRC).
A policy driven governance will address the full life-cycle of user identity and access controls. This serves to correlate identity and access information for analysis and audit reporting across IT systems (email, file servers and network accessed directories, ERP, etc), and taking input from HR, control objectives, workflows, and policies. The life-cycle of processes results in an integrated identity management solution that delivers both auditor reports and compliance dashboards.
• Role, separation of duty (SoD) modelling
• Role mining and analysis
• Role lifecycle governance
• Access attestation (continued business need)
• User provisioning & de-provisioning
• Delegation, self-care/self-service
• Separation of enforcement duties
• Strong authentication
• Fine-grain access control
• Federated identities, Single-Sign-On (SSO)
4. Monitoring & Continuous Improvement
• governance policy integration
• anomaly detection
• actionable reporting
As the business augments its maturity to identity and access management the transformation will result in a journey that starts with greater visibility across user identities and access, then the attainment of automated auditing and attestation (certification), role-based policies, and then self-service user interface with preventative controls and faster access management.
Smarter Approach for Identity & Access Management
We propose an approach that mitigates these risks and which also reduces total cost – whilst also creating the ability to robustly manage access not only within the enterprise but also across business partnerships. Our approach typically includes the following steps, and is tailored to the client’s needs:
• automation of user credential and permission management across enterprise environments
• self-service account management, empowering users to reset passwords and with advanced workflows for request/approval to business resources
• integration with HR systems for operational efficiency and consistency of validated identities
• deployment of role-based access procedures, with governed re-attestation of business requirements for privileged access rights
• consolidation of user identities and permissions, with active analysis and reporting on policy compliance – applying a user life-cycle perspective
• demonstrable compliance for auditors and regulators, with internal accountability and continuous monitoring – yet without compromising security
• converge complex systems for more efficient and effective management, achieved by virtualization of multiple identity repositories such that these can be managed and audited as a single system
• enhanced operational efficiency for IT management
Whilst Meta Byte has developed a framework to assist in identifying, planning, deploying, and monitoring enhanced GRC (gearing towards Pervasive GRC, a topic for a future blog), there is no single approach that is valid for all corporate entities. The reason for this is that your specific business objectives, and the maturity of existing processes, will strongly influence the capability deployment and activity roadmap to achieve smarter governance.
Your journey to enhance access governance
In terms of project management and the crafting of a business case for this activity, your Corporate Governance serves to provide focused context and direction to the IdAM implementation – if it exists, this will be underpinned by your Data Governance. This aligns operational capability with organizational strategy, and offers consistency and extensibility as the governance and operational competency evolves: managing identities, validating user credentials, role-based access policies – with consistency across multiple systems and a more proactive audit capability.
1. assessment of IT processes and systems
2. prioritize requirements based on corporate strategy and existing environment
3. map identity and access management solution onto business requirements
4. define a roadmap for capability enablement, including education and awareness sessions
5. validate technical enablement and business reporting
The bespoke needs of each client will drive the deployment of an IdAM capability. The phased implementation will be geared to the client’s corporate strategy. At Meta Byte Technologies we have already conducted assessments of solution providers, whilst also holding field experience from deployment into diverse domains, we are therefore able to strongly advise on both flexible and modular approaches to deliver robust – and well governed – capabilities.
An important step towards enhanced business governance and more robust can be achieved through business-driven identity and access management. In many instances this is deployed alongside existing security tools – augmenting capability rather than replacing. Cost savings are achieved through operational efficiency gains, together with more nimble compliance.
Author: Alexis Biller
Role: Practice Lead & Business Manager at Meta Byte Technologies FZ LLC
Published: April 2015