How identity governance solves the compliance challenges left by provisioning technology
The identity management landscape is changing. The need for stronger auditing controls is giving rise to identity governance tools that are supplanting ID provisioning solutions as the centralized management layer for identity.
Identity governance tools allow organizations to review, audit and enforce policies for fine-grained access privileges across the IT environment. Because they are less complex and easier to deploy than traditional ID provisioning solutions, identity governance solutions can deliver end-to-end visibility and control across all high-risk systems and applications – a breadth of coverage that has proved nearly impossible to date.
Looking at the genesis of provisioning technology, it's easy to see why it falls short on addressing compliance requirements: quite simply, it wasn't designed for it. Provisioning solutions were primarily designed to provide a delegated administration capability that helped automate the process of adding, modifying, and deleting user accounts for IT operations and help desk staff. Provisioning applications fail to address governance and compliance needs for three principal reasons:
• Deployment scope - The cost and complexity of implementing provisioning has typically limited its use within an organization to a portion of total applications – typically fewer than 10. In companies with dozens, hundreds or in some cases thousands of systems and applications, this limited view is not sufficient to meet enterprise-wide visibility and control requirements.• Entitlement granularity - Most provisioning systems are only used to manage account-level access and have no visibility into the fine-grained application entitlements that true managed security is based upon. Without detailed application entitlement information, provisioning systems are unable to effectively enforce access policies, separation-of-duty (SoD) rules, or to evaluate whether a given user's privileges are appropriate to his job function.• Technical user interface - Lastly, provisioning systems truly were designed for technical users, such as IT operations staff and system administrators. They do not provide an enabling environment for non-technical users in audit, compliance, or line of business positions, who are now responsible for proving and maintaining identity compliance.
Because of its technical limitations, many organizations that use provisioning systems still face the possibility of security breaches and failed IT audits. To effectively manage these risks, a complete, enterprise-wide view of entitlements and access privileges must be constructed to determine what actions a user can perform within a given business application environment.
Over the past three years, identity governance technology has emerged to meet the specific challenges of governance, risk management and compliance in the identity management space.
At a macro level, identity governance focuses on transforming technical identity data scattered across multiple enterprise systems into a centralized, business information repository. This provides organizations with the business insight needed to improve decision-making and reduce overall operational risk.
Identity governance technology uses a multi-dimensional data model that combines fine-grained entitlements, business policies and a core "roles and controls" model. It then overlays business process workflows and enhanced reporting, which allows organizations to analyze large quantities of identity and entitlement data.
This ability to translate technical identity data into business-relevant context is a critical advancement from old-school provisioning technology. The process makes it easy for business users to filter and interpret identity and entitlement data according to overall risk and business policies, and to more quickly and effectively demonstrate compliance for audits.
Key functional components of identity governance include:1. Data collection - Identity governance technology leverages two primary methods of retrieving data from enterprise resources: direct, read-only connections that collect data either directly from the resource or system on which identity data is stored; and scheduled file extracts of identity data which can be loaded using a rule-based delimited file connector.2. Data aggregation and correlation – Identity governance tools use correlation rules and data matching algorithms to create a single, logical representation of each user with his access privileges. This creates a concrete mapping of "observed accounts" to "known identities" across all systems.3. Role management – Role management helps organizations more effectively address governance and compliance requirements by aligning access privileges to user job functions and organizational data. In this context, the role model is used as a management structure that adds business context and controls policy to the mapping between users and the lower-level entitlements, permissions and data accessible by users. Building a model is essential to effective identity governance because the model defines the "desired state" policy against which the organization can manage the "actual state" of identity.4. Access certifications - The review and certification of user access privileges by managers and/or application owners has emerged as a key component of identity governance. Access certifications require more than the basic "re-approvals" carried out by current provisioning tools. Identity governance tools provide automated business process workflows and sophisticated change detection technology, in order to create a dynamic and highly streamlined identity controls process. True access certifications not only provide the auditor "proof of compliance," but also create an exception-based continuous controls model that vastly improves accountability and transparency.5. Policy enforcement – By definition, governance requires policies. Identity governance means managing identity, account and entitlement data in accordance with established policies. Beyond having a role model, this also means defining and enforcing cross-enterprise business policies, such as SoD rules and compensating controls, and generally defining what should be done when certain identity data changes are detected. Identity governance takes a detective and preventive approach to enforcing identity-related security policies across all compliance-relevant applications, both inside and outside the corporate boundary.6. Access request management – Identity governance greatly simplifies the process of requesting changes to user access privileges by making use of a centralized repository of roles and entitlements with associated business policy. This foundation enables managers and end users to conveniently request new access or make changes to existing privileges within the constraints of the pre-defined model that enforces preventive controls, while at the same time providing an efficient and more business-friendly way to promote self-service and delegated administration for the access request process.7. Risk modeling – Identity governance solutions also enable organizations to monitor and manage the relative risk inherent in providing users access to systems and data. By applying analytics to cross-enterprise identity data, identity governance tools can pinpoint high-risk areas, such as orphan accounts, SoD policy violations, shared or service accounts and excess access privileges. This enables an organization to focus its compliance and remediation efforts strategically, rather than taking a "boil the ocean" approach inherent in non-risk based approaches.8. Dashboards – Identity governance solutions use business-friendly dashboards to help business and executive users interpret and monitor key identity management metrics across the enterprise. Through personalized data views for business, IT and audit users, dashboards highlight trends, patterns and relationships and draw focus to areas that need immediate attention.
The emergence of identity governance technologies to address 21st century security and compliance issues underscores the truth in the adage "necessity is the mother of invention." Ever stricter compliance regulations and heightened security risks require today's organizations to strengthen internal controls and provide evidence of the effectiveness of those controls across all high-risk systems and applications.
New tools and new approaches make it possible to meet these evolving requirements with greater efficiency and effectiveness, reducing the burden on business and IT users alike.
Rolls is the CTO of SailPoint Technologies, an Austin-based developer of identity governance solutions.
Read more about infrastructure management in Network World's Infrastructure Management section.