Public and highly regulated organizations require audits to ensure business is conducted in an appropriate manner. The audit process provides verification that everyone in the organization has the access they need and only what they need.Internal and external auditors review the organization’s best practices and requirements and ask business employees about day-to-day processes. They also question employees in IT and security roles about what steps have been taken to address cybersecurity.
In turn, organizations develop policies to fine tune the company’s guidelines, rules, and oversight. For example, one simple policy could define that all people in the organization who use computing resources must have a unique user ID. The organizational oversight of the identities and their access is where governance becomes critical. Identity Governance and Administration (IGA) focuses on giving organizations the ability to view, certify, and report on identities and their entitlements to determine that IAM practices are aligned with the goals of the business policies and rules that are in place.
Often, compliance regulations drive specific policy requirements, such as regulations for the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), and the Payment Card Industry Data Security Standard (PCI DSS), just to name a few.
Unfortunately, the evolving regulatory landscape has made the audit process a nightmare for organizations that lack the right technology. If configurations are not centrally implemented and managed in one tool, ensuring policies are consistently enforced across the enterprise becomes a serious challenge. Furthermore, organizations vary widely when it comes to their governance maturity.
The first step to evaluating your organization's identity governance capabilities is to evaluate where you stand. To simplify this, we’ve created an Identity Governance Maturity Model, comprised of four levels, much like we’ve done with other core tenets of IAM, such as multi-factor authentication, identity lifecycle management, and access management. These Maturity Models provide a pathway to assess current effectiveness, as well as insight into tangible steps to progress forward through the four levels.
We conclude our maturity model series with a two-part blog on identity governance. In this first part, we’ll discuss levels 1 and 2 before we take a deeper dive on the Governance Maturity Model during our live webinar on Wednesday, December 7th.
What Are Entitlements?
In order to define Level 1 of the Governance Maturity Model, we first need to understand entitlements. Access granted to an application is known as an entitlement, and for each system you can access, there is an individual entitlement associated with it. For example, access to the email system is a mailbox entitlement, and that entitlement is retained as long as the user still holds the applicable role or position.
In order to achieve Level 1 of the Governance Maturity Model, an organization must maintain an entitlement repository that represents end user access. The entitlement repository is a recording or inventory of the different groupings of access within the organization and acts as the authoritative source for access across the ecosystem.
Without governance, or Level 0 on the maturity model, all entitlement-related processes would be manual, as there is no system keeping track of entitlements. For example, if an employee needs administrative access to an application, such as Salesforce, it would have to be manually granted.
However, when done manually, such entitlements are rarely tracked beyond that. So, if the employee moves to a new team six months later, they would still have Salesforce administrative access, unless someone remembers to manually go into Salesforce and change it. Not only is this a major security risk, it also becomes a problem when auditors come in and ask who has access to which applications and systems.
Level 1: Entitlement Repository Maintained
Periodically, we must validate whether or not entitlements still hold true— that a user still maintains his or her position and requires the entitlement. This entitlement review process is known as certification of access, and it allows entitlements to have an audit trail and specific oversight into continued access to the entitlement. At Level 1, organizations review granted entitlements on at least an annual basis. That being said, some auditors require a more frequent basis, such as twice a year or even once per quarter.
Organizations in Level 1 run campaign-based entitlement certifications that establish periodic validation for how long access should be granted, as well as when access needs to be removed for exceptional handling.
For example, if entitlement access is granted for three months, at three month mark, we need to check and ask, “Does the user still need access? Does the entitlement still true hold true?” This ensures that only designated users have access to applications, and we know who has that access at all times.
Another benefit of having a governance solution that allows for certification of access is that the defined policies around entitlements can provide for revocation of the entitlement if the certification window has expired and no action has been taken. Furthermore, when a contact leaves the organization, rules can be put in place to ensure their access is automatically revoked.
Organizations in Level 1 also have reporting capabilities for events that form audit trails of entitlement associations. While some organizations use spreadsheets to track access and perform manual access certifications, the spreadsheet only provides a visual and system changes must be done manually.
Level 2: Entitlement Repository Reconciliation
Organizations in Level 2 of the Governance Maturity Model reconcile the entitlement repository against data imported from systems. These entitlement reconciliations are scheduled periodically against an offline snapshot from systems. This process is similar to comparing your bank statements to your check register and making sure the amounts match up.
When reconciling entitlements, the system first takes the entitlement repository and all the associations and then lists the entitlements per person. Next, the system goes to each application or company resource to verify if the user actually has the entitlement. This reconciliation process provides business owners insight, but the reconciliation is limited to what is in the entitlement repository as a baseline, and outside of that, a comparison cannot be performed.
While organizations in Level 1 can only run campaign-based certifications for entitlement policies, organizations in Level 2 also have the ability to do time-based certifications. Let’s dive deeper into each of these certifications types.
Campaign-based certifications typically occur once a year as part of a campaign. For example, if a 30-day entitlement campaign starts on December 1st, that means all access across the company’s ecosystem must be reviewed by the business owners on December 30th. This can be daunting for the IT team because there is only a short time-frame for large volumes of applications and access to be reviewed.
Time-based certifications, also known as continuous or rolling access certifications, are based on the time period when the entitlement was actually granted. This type of certification is more granular than campaign-based certifications because certifications can be staggered. This is advantageous for companies because applications don’t all have to be reviewed during the same timeframe. This takes the pressure of the IT department, as it allows them to review smaller quantities of entitlements on an ongoing basis, rather than large volumes all at once.
The more privileged and critical the entitlement, the tighter the time-frame for certification should be. For administrator access, we recommend you set the campaign for no more than two hours. At Identity Automation, we even have specific, highly privileged resources that no particular user in the organization can constantly access. Rather, approvals must be requested, and once granted, the entitlement only holds true for a short time-frame. Once that timeframe expires, the user has to request access again, making it a highly secure process.
On the other hand, some entitlements, such as email for example, are perpetual as part of having an identity in the organization. These entitlements do not require certification of access and typically revoked only during the offboarding of the identity.
Where Does Your Organization Stand on the Governance Maturity Model?
Streamlined IGA ensures proper identity and access controls are maintained and updated as business processes, data classifications, and personnel change. In Level 1 of the Governance Maturity Model, an organization simply maintains an entitlement repository, while in Level 2, the entitlement repository is reconciled.
When you move into the more mature and sophisticated Levels 3 and 4, intelligence is applied, so the system starts to gain knowledge of system patterns when access is granted. So over time, the system is able to look at the behavior of the individuals certifying access for the entitlements to determine the predictability of whether or not the access should be certified in the future based on the contextual information of the identity.
Curious to know what level your organization is on the Governance Maturity Model and the steps you can take to increase that maturity?
Join us on Wednesday, December 4th for the final webinar in our IAM Maturity Model series, Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 7 - Governance. In this webinar, our founder and IAM expert, Troy Moreland, will discuss the progression from a basic governance strategy, all the way to an intelligent strategy that provides AI decision scoring.
Watch this webinar to gain actionable steps and insights into how you can take your governance strategy to the next level. Register for the webinar here.