Data Driven Identity Governance

Identity Governance and Administration (IGA) prevents data breaches and expensive lawsuits.

Orphan Accounts, and low visibility on Legitimate Accounts, are definite threats to an organization, that when left unchecked can pose serious threat to otherwise secure technology stacks. Firewalls DO NOT make an organization immune to insider threat.

While having processes around Identities tightly linked to a user’s journey is extremely important, a 360° view of it at every turn based on data relationships is imperative.

Integration with an Identity System​

User Data may exist in Multiple Systems before it lands in your Identity Governance and Administration (IGA) System.

 

– A Solid IGA tool should be able to pool context data from Multiple Sources of Truth

– With multiple sources, an IGA system must be able to combine all the data into a single, unified profile for downstream usage

 

Regardless of your source, Workday, Oracle, Peoplesoft, ADP, or even a homegrown HR solution, any IGA system we recommend takes into account transferring data through Reports, REST APIs, SOAP APIs, or via custom data transfer utilities based on your source of User data.

Creating an Identity Repository​

An Identity lives in multiple places, but its inception usually occurs in an HR system. Pulling that data down from ANY source into a system that can be used to transmit data based on rules and roles, while keeping a bulletproof record of that data, is integral to corporate security and audit-readiness.

The first step in building complete Corporate Identities is to locate where all the context data about a person who works at your organization exist. This includes:

– First, Middle, Last Names

– Job Family (Accounting, Finance, etc)

– Job Role (Finance Analyst 1, Accounts Payable Associate 1, etc)

– Seat/Position (This is a rare distinction of users that is extremely valuable. Certain job roles have strictly defined duties based on their role, but even further are the individual seats in the headcount that have specific duties based on the position type, which is more context for an Identity).

We also recommend consolidating multi-system data into one HR system that Identities can be pulled from in entirety, as this leaves a clean audit trail and is easier to support, versus working with multiple systems and teams to resolve Identity issues.

An Identity Governance system must be Data Agnostic when it comes to sourcing data from different places.

Role/Attribute-Based Access Control (RBAC/ABAC)​

Based on the context data from an HR system, we can use a strong IGA system to assign additional context to a profile that dictates some type of access downstream in an application or service.

These are known as Attributes, and a clubbing of attributes that define access in one or multiple systems are called Roles, or Enterprise Roles.

Access Requests and Self-Service

Gone are the days where an email to your Admin for access to a system is an acceptable way to keep track of access and requests. Today, we preach integrating with ITSM for Access Requests, and automating that process to run in tandem with your IGA system. This allows for functionalities like:

Self-Service Requests for Access: Users should be able to use the same ticketing software for helpdesk calls for Access Requests. We integrate our IGA solutions with existing Ticketing and Helpdesk Software to provide and automate that fulfillment and approval process in the same breath.

Access Approval Flows: With an Access Request in the queue, rules based on the type of access requested kick in. A solid IGA system should be built to kick of Approval processes from necessary parties, like managers and directors, automatically once the request is in, or automatically grant access if a user meets predefined criteria.

Attestation and Access Reviews: It is important to periodically attest user access across your environment. This is how you prevent privilege creep, and thereby prevent costly mistakes from user access to resources irrelevant to an associate’s job function. This process can be delegated to user managers, team leads, and more based on your organization’s structure and can be set up and administered through an IGA system.

Threat Scoring and Artificial Intelligence: By assigning threat scores to different roles, attributes, and other privilege types, an IGA system can keep a record of a user identity and its threat potential to your organization. In addition to pre-configured actions for attesting accounts with high threat or for removing access for those accounts once a threshold is reached, AI allows for the system to learn and suggest actions that the system should take to mitigate the threat based on past actions and data. A Modern IGA system thinks for itself and provides feedback to its administrator(s).

Governance and Administration

“If you can’t explain it simply, you don’t understand it well enough.” That’s old wisdom from Einstein that holds true to this day. A well-built Identity Governance Platform and Program make answering questions about user identities simple, and easy to understand through audit trails and process flows.

Auditability and Tracking: Audits in Corporate environments are as guaranteed as the Sun coming up tomorrow. Having a 360° view of Identity isn’t just a slogan, it’s a process, and one that can be bolstered by a strong IGA system ingrained in the foundation of access control at your Organization. If you don’t know where an identity has been since its inception at the click of a button, you need to re-evaluate how you do Governance.

Attestation and Access Reviews: It is important to periodically attest user access across your environment. This is how you prevent privilege creep, and thereby prevent costly mistakes from user access to resources irrelevant to an associate’s job function. This process can be delegated to user managers, team leads, and more based on your organization’s structure and can be set up and administered through an IGA system.

Threat Scoring and Artificial Intelligence: By assigning threat scores to different roles, attributes, and other privilege types, an IGA system can keep a record of a user identity and its threat potential to your organization. In addition to pre-configured actions for attesting accounts with high threat/ for removing access for those accounts once a threshold is reached, AI allows for the system to learn and suggest actions that the system should take to mitigate the threat based on past actions and data. A Modern IGA system thinks for itself and provides feedback to its administrator.

Process, Process, Process

This is the most integral part of any Identity System. Having full visibility of an Identity means understanding and documenting every aspect of its lifecycle. From Day 1 to Day 0, an Identity goes through stages like:

– Initial Hire
– Promotion/Demotion
– Horizontal Moves to different business units
– Collaboration Periods(Roles for cross-team collaboration)
– Voluntary and Involuntary Terminations
Architecting a solution for bulletproof Identity Management begins with understanding the user journey of all the different types of users in your organization, and automating as much of that process as is feasible while auditing the manual aspects of that process.

©RAAH Technologies 2022. All Rights Reserved.