Rethinking identity management

23 September 2016

View Simon Borwick’s profile on LinkedIn  

The world of enterprise identity management for the past 20 years has focused on the automation of the joiner-mover-leaver process (provisioning), driven primarily by a need to demonstrate operational efficiency. Very little attention has been paid to compliance and risk as they traditionally have been far more difficult to quantify in financial terms. Any compliance and risk was delivered as an extension to the original provisioning work with the application scope being the same. Due to the complexity and cost of implementing a provisioning solution the number of applications that were brought under management was only a tiny proportion of the overall application estate.

In parallel with this, compliance and risk was growing in importance within organisations as regulators started to strengthen existing regulations and introduce new ones. Organisations were being asked to define and implement access control policies across a vast and ever expanding application estate. Many of these access control policies had their roots in CoBIT and Sarbannes-Oxley. When we asked our clients whether or not they had confidence that their access control policies were being truly enforced and monitored they said that they didn’t have the level of confidence that they would like.

Therefore the question that needed to be asked was “is the way we approach identity projects beneficial to our clients?” The conclusion that we came to was that we were starting at the wrong end, that we should get the application estate under control before considering automation of any of the controls. As we developed this idea further we were able to define the approach in four steps:

Get Compliant – working with small groups of applications, validating who has access and whether or not it is appropriate. Then undertake a cleanup to enhance both the security of the application and its compliance with internal policies.

Stay Compliant –once the application has undertaken the initial cleanup, the next stage is to include it in a regime whereby the application security and compliance is enhanced over time. This is putting in place firm foundations for any automation of controls in the future.

Analyse – as applications are added so the value of the data grows. The data can be examined to determine whether or not the joiner-mover-leaver process is working efficiently across the organisation, or if segregation of duties matrices need strengthening for a particular process etc. This results in the targeted use of resource (human and financial) as well as the tightening and enhancement of the controls that matter.

Enhance – the data will indicate the applications that will benefit from automation of the controls (provisioning) which may be different from those that are perceived to benefit from some form of automation. As the user and entitlement data within the application is clean and the construct of the controls is well understood, then automation will generate the desired efficiencies without introducing security loopholes.

View Simon Borwick’s profile on LinkedIn  



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.