Adaptive Identity Governance

By Sreehari Sastry, MD, India Development Center, Novell

Over many years, in­novation has been at the forefront for most organizations – although now it has created a very complex environment and this has changed massively in the relatively short history of the IT industry. Co-located, highly cohesive teams with deep subject matter expertise have become highly distributed, and multi-disciplined teams that work at speed. End-users are demanding flexible and faster access to criti­cal resources and vital information, from disparate locations using a va­riety of devices. Over time, the reali­zation of new computing platforms, new networking infrastructures and new application access models has produced a very complex picture, and enterprise organizations need to balance many combinations of these simultaneously.

At the same time, information se­curity threats are on the rise and as a result government regulations are demanding more control over users and data. In this context, it is im­portant for organizations to evolve their security procedures. As enter­prises rapidly expand their footprints into social, mobile and cloud, they must ensure that only the right us­ers have the right access to sensitive data and applications. As the risk of insider threats is increasing and the stringent regulations are becoming order of the day, enterprises need to adopt robust and optimized identity solutions. Additionally, granting and managing access has traditionally been the domain of IT department, leaving the rest of the organization with little visibility into how user ac­cess actually aligns with security and compliance requirements. In order to protect critical and confidential data and applications of the organi­zation, enterprises must implement a resilient identity management and governance solution. The IGA so­lution must enable strong control over user access to applications and carefully monitor how access enti­tlements align with business roles and responsibilities. As an organi­zation grows in size, and as newer roles are defined, and as people move across different roles, manag­ing correct entitlements becomes increasingly difficult.

For example, access rights of an employee to certain critical systems may be still lingering in the system, well after the employee has exited the organization. Or a sales manag­er, who has moved into a completely different role, may still be retaining access to the company’s CRM system that he/she had while in the sales or­ganization. This dual access results in a “Separation of Duties” violation, which in turn may result in deeper consequences than a mere audit fail­ure. It can expose the institution to insider threats and fraud, leading to both financial losses and damage to the corporate reputation.

Identity Governance must not be implemented as a mere reaction to compliance audits. While it is im­portant and necessary to pass vari­ous audits, it is short-sightedness to look at Identity Governance as just that. Today’s attackers are target­ing user credentials as a weak link in enterprise security. Reducing this risk requires reducing excessive en­titlements that account for today’s dynamic business requirements. In a well thought-out enterprise, the IT Operations Manager should be able to demonstrate control over personnel access and take necessary corrective actions.

A well laid-out Identity Govern­ance infrastructure should serve four fundamental needs

• Assure Compliance

The system should reduce the overall cost of compliance reporting. When audit findings raise the need for better access certification controls, manual entitlement collection and certification campaigns, the solution that you adopt should demonstrate the ability to answer questions like "What does Ramesh have access to?"

• Be more adaptive and Reduce the risk

As attackers find creative ways to trick users into exposing their cre­dentials, identity governance must evolve beyond a compliance check­box activity and do more to reduce the risk of excessive access. The gov­ernance solution must provide cus­tomizable risk scoring to prioritize access certifications and engage the business with additional context, such as orphan accounts or SoD violations, needed to decide on per­sonnel access and when to revoke risk. Risk and Compliance officers must engage line of business man­agers with risk information during access certifications.

• Provide actionable insight

Business managers are involved in identity and governance more than ever. But their patience is put to test when access to requested resources is delayed or when IT professionals have to deal with clumsy and complex user interfaces for access requests, approvals and certifications. They are driven by their need to have their employees being quickly productive with access to various business apps needed to do their work. They often land up approving more expansive access rights to the requesters, in­creasing insider threats and fraud. A good governance solution should provide a very user-friendly interface, where the approver is clear of what entitlements he/she is approving and call out any SoD violations.

• Work in disparate environments

Today’s enterprises have to deal with a lot of variety of end-users ( regular employees, contractor workers, cus­tomers, partners and suppliers etc.) through mobile and demand access to specific data and applications from a variety of locations. This is forc­ing organizations to deploy applica­tions in a complex combination of on-premise, private and public cloud environments. A good governance solution should be able to transcend these boundaries and provide com­prehensive compliance and be adap­tive to changing business needs.

Don't Miss ( 1-5 of 25 )