Rethinking identity management
23 September 2016
The world of enterprise identity management for the past 20 years has focused on the automation of the joiner-mover-leaver process (provisioning), driven primarily by a need to demonstrate operational efficiency. Very little attention has been paid to compliance and risk as they traditionally have been far more difficult to quantify in financial terms. Any compliance and risk was delivered as an extension to the original provisioning work with the application scope being the same. Due to the complexity and cost of implementing a provisioning solution the number of applications that were brought under management was only a tiny proportion of the overall application estate.
In parallel with this, compliance and risk was growing in importance within organisations as regulators started to strengthen existing regulations and introduce new ones. Organisations were being asked to define and implement access control policies across a vast and ever expanding application estate. Many of these access control policies had their roots in CoBIT and Sarbannes-Oxley. When we asked our clients whether or not they had confidence that their access control policies were being truly enforced and monitored they said that they didn’t have the level of confidence that they would like.
Therefore the question that needed to be asked was “is the way we approach identity projects beneficial to our clients?” The conclusion that we came to was that we were starting at the wrong end, that we should get the application estate under control before considering automation of any of the controls. As we developed this idea further we were able to define the approach in four steps:
Get Compliant – working with small groups of applications, validating who has access and whether or not it is appropriate. Then undertake a cleanup to enhance both the security of the application and its compliance with internal policies.
Stay Compliant –once the application has undertaken the initial cleanup, the next stage is to include it in a regime whereby the application security and compliance is enhanced over time. This is putting in place firm foundations for any automation of controls in the future.
Analyse – as applications are added so the value of the data grows. The data can be examined to determine whether or not the joiner-mover-leaver process is working efficiently across the organisation, or if segregation of duties matrices need strengthening for a particular process etc. This results in the targeted use of resource (human and financial) as well as the tightening and enhancement of the controls that matter.
Enhance – the data will indicate the applications that will benefit from automation of the controls (provisioning) which may be different from those that are perceived to benefit from some form of automation. As the user and entitlement data within the application is clean and the construct of the controls is well understood, then automation will generate the desired efficiencies without introducing security loopholes.