Embed Size (px)
DESCRIPTION
A Phased Approach to Achieving Access Governance
Citation preview
Aveksa Insights Series
Automating Access Governance
Access Governance Overview
Aveksa Insights: Access Governance Overview
Welcome to Aveksa Insights. This series of documents is intended to provide a comprehensive guide to Access Governance, in a manageable and easily-digestible format. The topics are divided as shown below, with an overview section, and four phases. The topic for this document is highlighted.
About This DocumentThis document provides an overview of Access Governance, introducing the concept, the business drivers, and the associated challenges. It also explains a four-phase approach to achieving Access Governance, and explores the capabilities that are required in each phase.
VISIBILITY &CERTIFICATION
POLICYMANAGEMENT
ROLEMANAGEMENT
REQUESTMANAGEMENT
ACCESS GOVERNANCE
Revised November 2011
Aveksa Insights: Access Governance Overview
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The operational imperatives vs. security, compliance and risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
The complexities of access management & governance - silos, scale and change . . . . . . . . . . . . . . . . . . . . .1
Enabling the business – the lines-of-business have the context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Using business abstractions to manage complexity – roles and policies . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Business processes for Access Governance & Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
The Journey – A Phased Approach 3
Phase 1: Visibility & Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Phase 2: Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Phase 3: Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Phase 4: Request Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1 Aveksa Insights: Access Governance Overview
Introduction
The operational imperatives vs. security, compliance and risk Since every facet of a business is dependent on information technology, organizations must provide information resource access to an ever increasing number of employees, consultants, partners and customers. The pace of business dictates that these users must get access quickly. Business users need access to do their jobs effectively and running into delays translates into a loss in productivity.
And yet, giving users access to enterprise applications and data can carry significant risks: security risks such as the risk of fraud and the risk of intellectual property being stolen, or regulatory risks such as the risk of being fined for being out of compliance with HIPAA or SOX or PCI. These security and regulatory risks translate into business risk since the potential impact of an incident could cause grievous harm to an enterprise’s brand, revenue or profitability.
The challenge facing most security teams, therefore, is to provide line-of-business (LOB) users with the access they need while ensuring that the access is appropriate and does not expose the enterprise to unnecessary business risk. Carefully choosing and deploying an enterprise access governance platform is the best way for security teams to balance the requirements for fast, flexible access delivery with the need to manage, and mitigate access related business risk.
The complexities of access management & governance - silos, scale and changeThere are several issues that make access governance a complex endeavor in most organizations.
First, the last few decades have seen application infrastructure and applications evolve into security silos. While many applications leverage external directories (such as Microsoft Active Directory) as user account repositories, thus externalizing authentication and sign-on, they continue to use their own entitlement store and authorization model which makes the process of getting a single view of “who has access to what” difficult.
The second key issue contributing to complexity is that of scale. An organization with 10,000 users may have as many as 10 million user-entitlements. That’s a lot of user entitlements for a security team to track! What makes the scale issue even harder to deal with is the pace of change; changes, whether they are related to joiners, movers or leavers in the organization, mergers, acquisitions or reorganizations, or the on-boarding of applications or new compliance policies, have an impact on what’s appropriate and what’s not. So a dynamic environment leads to an ever-changing risk posture, unless there’s a way to proactively manage changes and the risks that accompany them.
The emergence of cloud computing is leading to even more complexity, with a new silo for every new cloud service provider. There is also a new dimension to scale, since privileged access by an unknown community of service provider administrators becomes a requirement, and the pace of change is quicker since LOBs are asking for and obtaining new services on demand. All of this introduces even greater risk, and can make an enterprise’s risk posture even more uncertain.
Enabling the business – the lines-of-business have the contextProviding LOB users with the access they need, efficiently dealing with access management and all of its complexities, and also managing business risk is a responsibility that traditionally has fallen on the security team in an organization. The leader of this team, a CIO, CISO, VP of Security or Director of Security, shoulders this burden despite the fact that IT security teams and operations teams have very little of the context needed for enterprise-wide access management. Most of this context lies within the LOBs in an organization; supervisors and other business managers understand what functional responsibilities people have, business owners of specific applications or data resources understand how their applications are used and what policies are appropriate for them. Context relating to policy requirements lies either with risk, audit and compliance teams or with LOB managers. And yet, it is indeed IT security’s job to “get access management done”!
2Aveksa Insights: Access Governance Overview
That leads one to the inescapable conclusion that the only way IT security can deliver on its own job responsibilities is to enable the LOBs to do what they are uniquely qualified to do; what’s needed is a way to get audit, risk and compliance team to drive access-related policy requirements as they understand them, and for IT to translate those requirements into a set of operational activities that are, for the most part, fulfilled by LOB decisions.
Using business abstractions to manage complexity – roles and policiesShifting access management to the business, as described above, contains a number of people, process and technology challenges. Getting the LOBs to take ownership of their users, their assets and associated entitlements and to become accountable for related tasks, can only happen if IT transforms the cryptic jargon of application and infrastructure entitlements into a business view of access and provides the LOBs with a simple, intuitive user experience for making access management decisions. One way to simplify the user experience is to map granular entitlements into higher level abstractions called roles that represent sets of entitlements; roles are abstractions that can simplify the business view of access, making it easier for business users to ask for access or validate access.
Further, given the pace of change in an organization, expecting the business to stay up-to-date continuously with entitlement validation is destined to fail. What’s needed is a way to capture business context about what’s appropriate so that the context can be applied to make automated access decisions. That leads one to the concept of access policies such as segregation-of-duty policies; once a policy has been instantiated, it’s applied automatically and if a policy violation is triggered, it’s dealt with automatically, often without any involvement from a business user.
Business processes for Access Governance & ManagementAs we have seen, organizations have to achieve both the delivery of access to the business, as well as access risk man-agement. Enabling the business (which ultimately has the context to make access decisions) is critical, but IT needs to make it easy for the LOBs to take ownership and become accountable. Audit, risk and compliance must be engaged as well, driving requirements, measuring results and testing controls. That leads us to the concept of establishing business processes within the organization with the involvement of LOBs, IT Security and Operations, Audit, Risk and Compliance teams, as illustrated in Figure 1. Access governance platforms enable organizations to take on the challenge of creating these business processes, simplifying management by making the business view of access role-based, automating access decisions based on policies and building proactive access compliance into the fabric of the organization.
Figure 1: Business processes for LOBs, IT Security, Audit, Risk & Compliance
IT Security
Ensure Compliance& Manage Risk
Enable the Business:Ownership &
Accountability
Audit, Risk & ComplianceLines of BusinessBusiness
Processes
3 Aveksa Insights: Access Governance Overview
The Journey – A Phased ApproachThe business process automation approach to access governance clearly has tremendous potential. But how do organizations put it into practice? Where do they start? How do they combine people, process and technology to chart a course for access governance nirvana?
The answer to these questions lies in a phased strategy that delivers step-by-step results. It starts with getting visibility into the reality of access within the enterprise and establishing business ownership and accountability – it then shifts to developing higher level business abstractions to provide simplification and automation - and ends with creating a business self-service and access change management process that delivers both operational efficiency and built-in security and compliance policy management.
Fig 2 below illustrates this roadmap and outlines the capabilities required at each stage of this access governance journey.
Figure 2: Access Governance Roadmap
Phase 1: Visibility & CertificationHaving an accurate picture of the access reality of an organization is central to a sound access governance strategy. In the first phase, therefore, an organization should focus on two key capabilities.
First, organizations need to focus on being able to deploy systems to automatically capture the reality of its user access – by collecting access (entitlement data), cleaning up the captured data, and obtaining a single unified and normalized view of that reality. This process delivers data cleanup, access visibility and full transparency.
Second, organizations need to be able to transforms the technical view of access into a business view of access so that LOB managers become accountable for reviewing who has access to what and enable automated access certifications by the LOBs. Access certifications (Reviews) are a critical compliance control for most organizations and implementing an automated certification process is an excellent way to begin to shift ownership of access decisions to the business.
VISIBILITY &CERTIFICATION
EntitlementCollection
EntitlementNormalization
Certification
POLICYAUTOMATION
Segregationof Duties
Joiners,Movers, and
Leavers
ROLEMANAGEMENT
RoleDiscovery
andDefinition
RoleLifecycle
Management
REQUESTMANAGEMENT
AccessRequestPortal
Policy-BasedChange
Management
Maturity
4Aveksa Insights: Access Governance Overview
Phase 2: Policy Management While automated access certifications enable an organization to ensure that every important entitlement is examined by a responsible person, the decision-making process is a manual one. The second phase in our access governance roadmap is about capturing decision-making context and logic into a set of policies that are defined in terms of business rules, so that an access governance platform can automate much of the decision-making. When the rules trigger, one or more actions may be taken automatically. Organizations typically require the ability to define policies to detect and respond to Segregation-of-Duties (SOD) violations, as well as to handle the events that occur when an employee joins the organization, moves around within it, or leaves the organization (Joiner-Mover-Leaver rules).
Often, these rules are used to initiate a workflow process. For example, when a business rule designed to detect a new employee is triggered, a multi-step joiner process can be started for the employee in question, to ensure that the new employee has appropriate access rights.
Note that SOD rules can be leveraged in both a detective mode as well as a preventive mode. When these rules are applied to existing user-entitlements assignments, they can automatically detect existing policy violations – when they are applied prior to assigning an entitlement to a user, they can prevent policy violations from occurring.
In this access governance phase, organizations usually establish a process for defining and maintaining rules, evaluat-ing rules against entitlements, triaging the resulting violations, and establishing robust Joiner-Mover-Leaver business processes.
Phase 3: Role Management The next phase of the access governance journey tackles roles, abstractions that have a huge potential to deliver simplification, but can be somewhat harder to define and maintain. Roles, as defined earlier in this document, are coarse-grained entitlements that provide a bridge between users and entitlements, in order to achieve simplification. Well-defined roles serve as a vocabulary of access ; a vocabulary accepted by both business and IT. With roles in place, a pre-approved framework of access ensures that managers assigning access, approving access or reviewing access rarely deal with granular entitlements; they work at a more abstract level, thus reducing the number of interactions between people and software. That’s how roles deliver the desired simplification and efficiency.
The burden of user access provisioning can be greatly reduced by factoring roles into the provisioning equation. This requires that role membership for some roles be described using rules that are easily evaluated against the collected identity populations. All roles do not need membership rules, but bringing context about joiners, movers and leavers into the role management process, can yield roles that help automate access provisioning and de-provisioning and simplify JML processes.
Thus, roles help an organization do one or both of the following:
1. Give users access in an efficient way – which simplifies access provisioning
2. Help review, validate or test user access in an efficient way – which simplifies compliance and risk management.
There are two key challenges with roles – first, defining them so that they deliver optimum value in terms of efficiency and simplification as described above and second, maintaining them to ensure that they continue to provide that business value despite all the changes occurring in the organization.
5 Aveksa Insights: Access Governance Overview
Phase 4: Request Management An organization that has worked through the first three phases of the access governance roadmap has established both a business view of access and the abstractions to simplify and automate access management. The fourth and last phase of the access governance roadmap leverages this business view and these abstractions to provide a self-service access request front-end for the business and an auditable and policy compliant change management engine for IT on the backend. In this phase, an access change management process is put in place to that LOBs are fully enabled to invoke access requests without any knowledge of the infrastructure and details involved in servicing the requests.
Further, policy-based compliance is embedded into the end-to-end change management process and the organization’s stance shifts from detective compliance to proactive compliance since access policies can be checked and enforced before access is granted.
Conclusion The four phase roadmap discussed here is being used by organizations worldwide to make access governance operational. The approach has been leveraged with great success in multiple industry verticals, and has consistently delivered concrete business value.
Thanks for reading this Insights overview of Access Governance. Additional documents in the Aveksa Insights series will provide further information on the four-phase pathway.
Automating Access Governance265 Winter Street | Waltham, MA 02451 | 781.487.7700 | www.aveksa.com
© 2011 Aveksa Inc. All rights reserved. Aveksa, Aveksa product names, and the Aveksa logo are registered trademarks of Aveksa Inc. All other company and product names may be the subject of intellectual property rights reserved by third parties.
ABOUT AVEKSAAveksa provides the most comprehensive, enterprise-class, access governance, risk management and compliance solution. Aveksa automates the on-boarding, change management, monitoring, reporting, certification and remediation of user entitlements and roles; enables role discovery and lifecycle management; and delivers unmatched visibility into the true state of user access rights. With Aveksa, business, security and compliance teams can effectively collaborate and enforce accountability. Our growing customer base includes leading Global 2000 organizations in financial services, healthcare, retail, energy/utility, transportation and manufacturing. For more information, go to www.aveksa.com.
ABOUT THE AVEKSA ACCESS GOVERNANCE PLATFORMThe Aveksa Access Governance Platform is the industry’s first comprehensive solution for access governance, risk and compliance management which delivers unmatched visibility into the true state of user access rights. The Access Governance Platform is comprised of Aveksa Compliance Manager, which automates the monitor-ing, reporting, certification and remediation of user entitlements; Aveksa Role Manager, which enables role discovery, modeling and maintenance; and Aveksa Access Request and Change Manager, which combines a business-centric interface and an automated, streamlined request process with policy controls to ensure that access is always appropriate.
