The Benefits of Access Governance – The New Baseline for Identity Management
The need to identify users, control what they can access, and audit their activities is fundamental to information security. According to the Gartner Magic Quadrant for Identity Governance and
Administration report (30 December 2013 ID: G00253758), the identity and access management market has experienced significant upheaval along with its usual growth over the past two years.
What began as two relatively distinct markets, user provisioning and access governance, have merged into a single category of identity governance and administration. However, many organizations have not realized the benefits expected from the application of this technology, because they have taken a tactical technology-led approach rather than a strategic one based on governance. In addition, the move to outsourcing and the cloud means that technology and some processes are no longer under direct control of the organization. Escalating security and privacy concerns along with a renewed focus on corporate oversight are driving governance, risk management and compliance (GRC) to the forefront.
To effectively meet GRC requirements, organizations must prove they have strong and consistent controls over who has access to critical applications and data. The primary objectives of identity and access governance are to manage risk and ensure compliance in a consistent, efficient and effective manner. Access governance is about implementing well-described processes, procedures, and guidelines.
In an article published by Venkat Raghaven, A new approach to identity and access management governance: Governance with accountability, the identity and access governance processes necessary to meet these requirements would include:
- Identifying what relevant data the organization holds and to classify this data accordingly.
- Accessing critical processes, information systems and data that should be managed as foundational risk management controls.
- Leveraging a systematic IT architecture and platform to enforce those policies, procedures, and guidelines as designed so both business and IT understand the results of continuous compliance in the broader risk management strategy.
- Deploying governance with accountability, manageability, sustainability and reporting to business and IT owners.
- Understanding the level of access users have to services, applications and data.
- Controlling which users have access to the organization’s information and that those users with privileged access do not enable unauthorized access to data.
- Implementing processes that monitor and review which users have access rights to the organizations data and the cumulative effect of those rights and privileges.
- Defining and managing governance over physical and logical access rights, including a certification process that ensures valid user access and access revocation when needed.
- Enforcing identity management governance to manage a user’s identity lifecycle from start to finish in an effective and efficient manner.
As it is with the Internet of Things (IoT), there is also the ‘Identity of Things‘ (IDoT) where identity is a method for which people, devices, and services are connected over the Internet and as a result of that unfettered connectivity, how some groups are taking the action to voice their concerns over how privacy issues are being addressed.
Organizations are leveraging identity more and more as a means to enforce access control with respect to which people, through which devices, have access to which services. From a governance, risk, and compliance standpoint, operational efficiencies gained through tracking, accountability, and enforcement provide another effective mechanism for managing risk.
The Internet of Things (IoT) will create a world-wide connected infrastructure of billions of objects over the next 10 years. Through the use of identity, any person, device, or service could be contained within their associated “Communities of Interest”. Without a unique identifier or an association with a real physical identity, the person, device, or service is inanimate, unable to communicate, or provide context to the information that it has access to, or is able to produce.
The Internet of Things (IoT), which has transformed the way that organizations do business today, also brings concerns regarding the privacy and security of the underlying data. This paradigm requires the application of governance, risk, and compliance for those involved in the data lifecycle, alongside the context of their identity.
Access governance systems have grown in importance over the last few years due to an increased emphasis on regulatory compliance, a growing awareness of and sensitivity to insider threat, and a heightened concern for overall IT security. All types of organizations are discovering that they need much greater visibility into who can access their key resources and how.
With the increasing number of cloud providers, data warehouses and social networks, the activity of sharing and managing identity and access information has been raised to the forefront as service providers seek more effective and efficient mechanisms for providing consumer security. Requesting, approving, and tracking access roles and privileges from a business perspective is essential from an overall governance, risk, and compliance perspective. Industry and government rules, regulations, and guidelines are the primary drivers (i.e. Sarbanes-Oxley, Basel II, FISMA, HIPAA, PCI/DSS, etc.) when organizations endeavor to establish processes and controls to mitigate internal and external risks.
Access Governance goes well beyond access recertification, role management and analytics. Strong capabilities for access request management, access analytics, and advanced direct or indirect capabilities of provisioning changes back are more often than not mandatory features. Increasingly, improved integration with Privilege Management tools or User Activity Monitoring solutions are being developed as a key focus area for many organizations. The Access Governance market is changing and the focus is not only on the traditional capabilities but also takes into account the Internet of Things (IoT) and the Identity of Things (IDoT).
It has become apparent that Identity Access Governance is gaining traction with corporations and large to medium organizations. It is the new baseline for functionality that will facilitate advancements in Identity Management.
I’d like to thank my colleague Martin Duffy for sharing with me many of the valuable sources of information that contributed to the content of this article.