Probably the most convoluted IT practices of all, the Identity Management and Governance is always vulnerable to a security gap. After all, controlling a vast expanse that extends beyond the traditional realm of a datacenter demands careful planning.
While spiraling cost issues and inadequate resources often undermine the identity governance approach, the inherent shortcomings are too many. And how to overcome those shortcomings invariably will depend on whether an organization clings to the basic principles.
Broadly, the identity governance practice can be split up in three stages.
If we move down in descending order, then the stage one is where identity lifecycle management is at the core. Automation and risk-based scores for identities among many other tools enable to on-board, discover, including grant/revoke access rights to identities. The whole idea here is to uncover the security blind spots through automation.
The second stage is where the manual IT rules and processes complement the automation. Here the Information Security professionals will lay down an unambiguous set of rules as to password policy, authorization among other controls. The objective here is to avoid those mistakes that can prove costly due to the lack of policies and processes.
The stage three requires doing the basics right. It forms the foundation for robust identity management and governance practice. Here the IT security staff will use the data to the fullest to understand the patterns behind it. Based on the data, an organization can enhance the security by employing the basic tenants in Information Security, especially the identity management and governance.
The Basics in Identity Management and Governance
Segregation of Duties
Every time the end-user logs in and conducts IT tasks, the data is collected and managed in the Identity Governance platform. The metadata collected enables the IT security staff to understand the usage of IT resources including the access patterns. This in turn helps them to draw a clear outline on varied access requirements, including mapping of a workflow matrix. Roles and duties are thus defined.
Entitlements based on “need-to-know” and “need-to-do” principle
Once the segregation of duties is defined, the next task to ensure access is granted only on “need-to-know”, and the “need-to-do” principle becomes easy. The access entitlements are clearly defined because now the admin knows who ought to access what and how frequently. It mitigates the risk of granting more than required access entitlements.
To keep the identity management house in order, organizations implement several practices that include just-in-time privileges and granular controls. Implementing the basic identity governance practices, complements the other best practices in access management.