Adaptive Identity Governance
Over many years, innovation has been at the forefront for most organizations – although now it has created a very complex environment and this has changed massively in the relatively short history of the IT industry. Co-located, highly cohesive teams with deep subject matter expertise have become highly distributed, and multi-disciplined teams that work at speed. End-users are demanding flexible and faster access to critical resources and vital information, from disparate locations using a variety of devices. Over time, the realization of new computing platforms, new networking infrastructures and new application access models has produced a very complex picture, and enterprise organizations need to balance many combinations of these simultaneously.
At the same time, information security threats are on the rise and as a result government regulations are demanding more control over users and data. In this context, it is important for organizations to evolve their security procedures. As enterprises rapidly expand their footprints into social, mobile and cloud, they must ensure that only the right users have the right access to sensitive data and applications. As the risk of insider threats is increasing and the stringent regulations are becoming order of the day, enterprises need to adopt robust and optimized identity solutions. Additionally, granting and managing access has traditionally been the domain of IT department, leaving the rest of the organization with little visibility into how user access actually aligns with security and compliance requirements. In order to protect critical and confidential data and applications of the organization, enterprises must implement a resilient identity management and governance solution. The IGA solution must enable strong control over user access to applications and carefully monitor how access entitlements align with business roles and responsibilities. As an organization grows in size, and as newer roles are defined, and as people move across different roles, managing correct entitlements becomes increasingly difficult.
For example, access rights of an employee to certain critical systems may be still lingering in the system, well after the employee has exited the organization. Or a sales manager, who has moved into a completely different role, may still be retaining access to the company’s CRM system that he/she had while in the sales organization. This dual access results in a “Separation of Duties” violation, which in turn may result in deeper consequences than a mere audit failure. It can expose the institution to insider threats and fraud, leading to both financial losses and damage to the corporate reputation.
Identity Governance must not be implemented as a mere reaction to compliance audits. While it is important and necessary to pass various audits, it is short-sightedness to look at Identity Governance as just that. Today’s attackers are targeting user credentials as a weak link in enterprise security. Reducing this risk requires reducing excessive entitlements that account for today’s dynamic business requirements. In a well thought-out enterprise, the IT Operations Manager should be able to demonstrate control over personnel access and take necessary corrective actions.
A well laid-out Identity Governance infrastructure should serve four fundamental needs
• Assure Compliance
The system should reduce the overall cost of compliance reporting. When audit findings raise the need for better access certification controls, manual entitlement collection and certification campaigns, the solution that you adopt should demonstrate the ability to answer questions like "What does Ramesh have access to?"
• Be more adaptive and Reduce the risk
As attackers find creative ways to trick users into exposing their credentials, identity governance must evolve beyond a compliance checkbox activity and do more to reduce the risk of excessive access. The governance solution must provide customizable risk scoring to prioritize access certifications and engage the business with additional context, such as orphan accounts or SoD violations, needed to decide on personnel access and when to revoke risk. Risk and Compliance officers must engage line of business managers with risk information during access certifications.
• Provide actionable insight
Business managers are involved in identity and governance more than ever. But their patience is put to test when access to requested resources is delayed or when IT professionals have to deal with clumsy and complex user interfaces for access requests, approvals and certifications. They are driven by their need to have their employees being quickly productive with access to various business apps needed to do their work. They often land up approving more expansive access rights to the requesters, increasing insider threats and fraud. A good governance solution should provide a very user-friendly interface, where the approver is clear of what entitlements he/she is approving and call out any SoD violations.
• Work in disparate environments
Today’s enterprises have to deal with a lot of variety of end-users ( regular employees, contractor workers, customers, partners and suppliers etc.) through mobile and demand access to specific data and applications from a variety of locations. This is forcing organizations to deploy applications in a complex combination of on-premise, private and public cloud environments. A good governance solution should be able to transcend these boundaries and provide comprehensive compliance and be adaptive to changing business needs.