What is access governance?
A few years ago, the word "governance" wasn't even a part of my vocabulary. It wasn't a word that I encountered in my reading nor one that I would have used when discussing the systems I manage. Access governance, however, has jumped firmly onto technology's center stage in just the last few years and is now one of the technologies that every systems administrator should know about.
Access governance is best described as "governing who has access to what within an organization". That's a much stronger term than "access management", by the way, as "governance" implies that the control of access is driven by policy as well as procedure. And, of course, you're going to see some references to "AG" (like we really needed another acronym!), so be ready.
Access governance systems have grown in importance over the last few years due to an increased emphasis on regulatory compliance, a growing awareness of and sensitivity to insider threat, and a heightened concern for overall IT security. All types of organizations are discovering that they need much greater visibility into who can access their key resources and how.
For Unix systems administrators, access governance provides a broader level of oversight and accountability than is typically afforded to account managers. Whether Unix accounts are configured in /etc files, NIS, NIS+ or LDAP or they are authenticated via Active Directory, proper attention to access governance will mean that you can view all accounts from a single vantage point. When you pull together information such as who has accounts on what systems, when those accounts were last used, what the accounts enable the account holders to do, and who has responsibility for approving the access provided, you will have a powerful platform from which to spot vulnerable accounts and cases of excessive access -- and to determine what to do to resolve these issues. You also have a basis from which to perform periodic effective account reviews -- one of the underpinnings of good security -- and to make ongoing decisions about who should retain, lose, or be granted access.
Of course, access governance doesn't only apply to Unix systems. The most effective uses of this technology cover all types of access within an organization. Imagine tracking accounts on all kinds of systems -- access to applications, databases, shared file systems, data centers, wiring closets, backups, privileged passwords, network devices, and printers. The larger and more complex an organization is, the more difficult it is to grasp and then to control the big picture. The goal of access governance systems is to give you that view and that control in a way that is both reliable and relatively easy to manage.
Typically, an access governance system will allow you to review access from several different points of view. You can review accounts on particular systems or applications. You can also look at individual employees and review their access to various resources. You can schedule access reviews and then track when they are complete. In some cases, you can automate account closures and access requests, making sure these activities are approved by the proper people.
Problems that are addressed by access governance systems include privilege creep (when individuals change responsibilities, but don't shed accesses that are no longer appropriate), stale accounts (accounts that remain after their owners leave the organization), orphans (accounts that don't seem to "belong" to anyone), and shared accounts with no one answerable for their use.
Access governance systems can also be of great value during security audits as they can provide reliable evidence that access was reviewed and problems were addressed.
In the process of deploying an access governance system, one of the things you would do would be to identify your organization's most sensitive data and valuable resources. You would then deploy "collectors" of some kind to gather account data from a wide range of systems and define the reports that you would use to evaluate risk and review accounts.
Access governance -- coming soon to a network near you -- is a technology well worth deploying -- especially in large, complex organizations in which numerous groups manage systems and resources.