April 15, 2012, 6:04 PM — A few years ago, the word "governance" wasn't even a part of my vocabulary. It wasn't a word that I encountered in my reading nor one that I would have used when discussing the systems I manage. Access governance, however, has jumped firmly onto technology's center stage in just the last few years and is now one of the technologies that every systems administrator should know about.
Access governance is best described as "governing who has access to what within an organization". That's a much stronger term than "access management", by the way, as "governance" implies that the control of access is driven by policy as well as procedure. And, of course, you're going to see some references to "AG" (like we really needed another acronym!), so be ready.
Access governance systems have grown in importance over the last few years due to an increased emphasis on regulatory compliance, a growing awareness of and sensitivity to insider threat, and a heightened concern for overall IT security. All types of organizations are discovering that they need much greater visibility into who can access their key resources and how.
For Unix systems administrators, access governance provides a broader level of oversight and accountability than is typically afforded to account managers. Whether Unix accounts are configured in /etc files, NIS, NIS+ or LDAP or they are authenticated via Active Directory, proper attention to access governance will mean that you can view all accounts from a single vantage point. When you pull together information such as who has accounts on what systems, when those accounts were last used, what the accounts enable the account holders to do, and who has responsibility for approving the access provided, you will have a powerful platform from which to spot vulnerable accounts and cases of excessive access -- and to determine what to do to resolve these issues. You also have a basis from which to perform periodic effective account reviews -- one of the underpinnings of good security -- and to make ongoing decisions about who should retain, lose, or be granted access.
Of course, access governance doesn't only apply to Unix systems. The most effective uses of this technology cover all types of access within an organization. Imagine tracking accounts on all kinds of systems -- access to applications, databases, shared file systems, data centers, wiring closets, backups, privileged passwords, network devices, and printers. The larger and more complex an organization is, the more difficult it is to grasp and then to control the big picture. The goal of access governance systems is to give you that view and that control in a way that is both reliable and relatively easy to manage.
Typically, an access governance system will allow you to review access from several different points of view. You can review accounts on particular systems or applications.