Jim Marshall shares seven areas to consider when defining your Identity Governance goals and objectives.
Where should you start with your Identity Governance project?
Perhaps the goals have already been established by your key stakeholders. Possibly it’s a compliance initiative driven by regulations such as PCI DSS, SOX, HIPAA, or GDPR. Or you know that access permissions have accumulated, and it’s time to get started enforcing best practices such as least privileges.
The outcome of any Identity Governance program should be the ability to prove that your risks are identified and managed. Here are seven areas to consider when defining your Identity Governance Goals and Objectives.
Before you continue reading, how about following us on LinkedIn?
Seven Goals for Identity Governance Success
Let’s start with two prerequisite goals that will set you up for success:
1. IAM Lifecycle
A mature Identity & Access Management (IAM) lifecycle will give you the capability to automate zero-day starts (join), changes (move), and stops (leave) for user account access.
- New users are onboarded and their accounts provisioned with proper permissions for the job role.
- Users moving to different job responsibilities have appropriate access added and unneeded access removed.
- Users that are no longer in active status (termination, on leave, retirement, other) have their accounts automatically disabled, or permissions removed as defined by security policy.
2. Linked Accounts
Linking all secondary and non-user accounts to specific owners will reduce your risk of unaccounted-for access.
- Administrative accounts are identified to their specific owner – and processed accordingly for lifecycle events. For example, these accounts are disabled when the primary user account becomes inactive.
- Service accounts must be identified and linked to a specific user/owner. Typically, this account would transition to another owner for IAM lifecycle events.
- Privileged accounts should be individually-owned and linked (as above), or governed by a Privileged Access Management (PAM) solution.
- Off-premises accounts for Cloud administration follow the same requirements.
Within Identity Governance itself, there are goals that will move you from (just) reviewing access to governing access.
3. Identification of Permissions
The names of the access permissions held by an account are generally not descriptive enough for a Reviewer to determine if the access is necessary. Effective descriptions for each permission will permit Reviewers to know what they are evaluating and make informed decisions. Note that well-defined permission descriptions also support role mining efforts.
4. Compliance-based Reviews – PCI DSS / SOX / HIPPA / GDPR / Other
If you’re holding sensitive data, you must identify the data and its permissions and specify the level of risk. There will be administrative & privileged account access to these items, and all access in any manner may form your requirement for certification reviews. Once identified, you certify the access around this specific data.
Roles are groupings of permissions to coincide with job responsibilities. This container-grouping reduces the burden of the review process and increases accuracy. Achieving Roles requires Role Modeling in which access permissions are grouped, reviewed, and approved for the specific job duties.
By using Roles, permissions granted that are outside the role are visible for scrutiny during Certification reviews. Periodic review and adjustment of all Roles are a requirement for keeping a least-privilege access model.
6. Risk-based Reviews
Risk-based Reviews are certifications performed on accounts and permissions posing a certain level of risk to the business. Taking a risk-based approach requires upfront identification of sensitive data and access and scoring its risk level. During periodic certifications, reviews are performed for the accounts exceeding a risk threshold.
- Administrator or other accounts with elevated levels of access
- Permissions to sensitive data
- Access to applications and servers holding sensitive data
- Any other factors that increase risk
An Identity Governance solution should incorporate the use of Policies to identify risk situations (Separation of Duties (SoD) or excessive access) and generate an Exception Review for the conflict. The Review process should enable the reviewer to permit the exception (with a mitigation plan) or to remove the access.
IGA projects have a reputation for being hard to complete, drawn out, and costly. These seven goals will help ensure you’re laying the proper groundwork for Identity Governance success.
This article was written by Jim Marshall, IAM specialist at Idenhaus Consulting.
Which Comes First: Identity Automation or Governance? [Webinar]
Identity Management provides a strong rules platform that will increase worker productivity while improving security. IAM is key to ensure employees are both empowered to deliver value and prevent damage to the business’s reputation, security, or bottom line. When getting started, companies will need to decide whether to begin with identity automation or identity governance first. This webinar will explore both approaches and make a case for which should come first.
Idenhaus was named one of the 10 Most Promising Identity Governance and Administration Consulting/Service Companies 2019 by CIO Review!
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us