Your SlideShare is downloading. ×
GDS International - Next - Generation - Security - Summit - US - 11
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

GDS International - Next - Generation - Security - Summit - US - 11


Published on

A Phased Approach to Achieving Access Governance

A Phased Approach to Achieving Access Governance

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Automating Access GovernanceAveksa Insights Series Access Governance Overview
  • 2. Welcome to Aveksa Insights. This series of documents is intended to provide a comprehensive guide to Access Governance, in a manageable and easily-digestible format. The topics are divided as shown below, with an overview section, and four phases. The topic for this document is highlighted. ACCESS GOVERNANCE VISIBILITY & POLICY ROLE REQUEST CERTIFICATION MANAGEMENT MANAGEMENT MANAGEMENT About This Document This document provides an overview of Access Governance, introducing the concept, the business drivers, and the associated challenges. It also explains a four-phase approach to achieving Access Governance, and explores the capabilities that are required in each phase.Aveksa Insights: Access Governance Overview Revised November 2011
  • 3. ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The operational imperatives vs. security, compliance and risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The complexities of access management & governance - silos, scale and change . . . . . . . . . . . . . . . . . . . . 1 Enabling the business – the lines-of-business have the context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Using business abstractions to manage complexity – roles and policies . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Business processes for Access Governance & Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2The Journey – A Phased Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Phase 1: Visibility & Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Phase 2: Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Phase 3: Role Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Phase 4: Request Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Aveksa Insights: Access Governance Overview
  • 4. Introduction The operational imperatives vs. security, compliance and risk Since every facet of a business is dependent on information technology, organizations must provide information resource access to an ever increasing number of employees, consultants, partners and customers. The pace of business dictates that these users must get access quickly. Business users need access to do their jobs effectively and running into delays translates into a loss in productivity. And yet, giving users access to enterprise applications and data can carry significant risks: security risks such as the risk of fraud and the risk of intellectual property being stolen, or regulatory risks such as the risk of being fined for being out of compliance with HIPAA or SOX or PCI. These security and regulatory risks translate into business risk since the potential impact of an incident could cause grievous harm to an enterprise’s brand, revenue or profitability. The challenge facing most security teams, therefore, is to provide line-of-business (LOB) users with the access they need while ensuring that the access is appropriate and does not expose the enterprise to unnecessary business risk. Carefully choosing and deploying an enterprise access governance platform is the best way for security teams to balance the requirements for fast, flexible access delivery with the need to manage, and mitigate access related business risk. The complexities of access management & governance - silos, scale and change There are several issues that make access governance a complex endeavor in most organizations. First, the last few decades have seen application infrastructure and applications evolve into security silos. While many applications leverage external directories (such as Microsoft Active Directory) as user account repositories, thus externalizing authentication and sign-on, they continue to use their own entitlement store and authorization model which makes the process of getting a single view of “who has access to what” difficult. The second key issue contributing to complexity is that of scale. An organization with 10,000 users may have as many as 10 million user-entitlements. That’s a lot of user entitlements for a security team to track! What makes the scale issue even harder to deal with is the pace of change; changes, whether they are related to joiners, movers or leavers in the organization, mergers, acquisitions or reorganizations, or the on-boarding of applications or new compliance policies, have an impact on what’s appropriate and what’s not. So a dynamic environment leads to an ever-changing risk posture, unless there’s a way to proactively manage changes and the risks that accompany them. The emergence of cloud computing is leading to even more complexity, with a new silo for every new cloud service provider. There is also a new dimension to scale, since privileged access by an unknown community of service provider administrators becomes a requirement, and the pace of change is quicker since LOBs are asking for and obtaining new services on demand. All of this introduces even greater risk, and can make an enterprise’s risk posture even more uncertain. Enabling the business – the lines-of-business have the context Providing LOB users with the access they need, efficiently dealing with access management and all of its complexities, and also managing business risk is a responsibility that traditionally has fallen on the security team in an organization. The leader of this team, a CIO, CISO, VP of Security or Director of Security, shoulders this burden despite the fact that IT security teams and operations teams have very little of the context needed for enterprise-wide access management. Most of this context lies within the LOBs in an organization; supervisors and other business managers understand what functional responsibilities people have, business owners of specific applications or data resources understand how their applications are used and what policies are appropriate for them. Context relating to policy requirements lies either with risk, audit and compliance teams or with LOB managers. And yet, it is indeed IT security’s job to “get access management done”!1 Aveksa Insights: Access Governance Overview
  • 5. That leads one to the inescapable conclusion that the only way IT security can deliver on its own job responsibilities isto enable the LOBs to do what they are uniquely qualified to do; what’s needed is a way to get audit, risk and complianceteam to drive access-related policy requirements as they understand them, and for IT to translate those requirementsinto a set of operational activities that are, for the most part, fulfilled by LOB decisions.Using business abstractions to manage complexity – roles and policiesShifting access management to the business, as described above, contains a number of people, process and technologychallenges. Getting the LOBs to take ownership of their users, their assets and associated entitlements and to becomeaccountable for related tasks, can only happen if IT transforms the cryptic jargon of application and infrastructureentitlements into a business view of access and provides the LOBs with a simple, intuitive user experience for makingaccess management decisions. One way to simplify the user experience is to map granular entitlements into higherlevel abstractions called roles that represent sets of entitlements; roles are abstractions that can simplify the businessview of access, making it easier for business users to ask for access or validate access.Further, given the pace of change in an organization, expecting the business to stay up-to-date continuously withentitlement validation is destined to fail. What’s needed is a way to capture business context about what’s appropriateso that the context can be applied to make automated access decisions. That leads one to the concept of access policiessuch as segregation-of-duty policies; once a policy has been instantiated, it’s applied automatically and if a policy violationis triggered, it’s dealt with automatically, often without any involvement from a business user.Business processes for Access Governance & ManagementAs we have seen, organizations have to achieve both the delivery of access to the business, as well as access risk man-agement. Enabling the business (which ultimately has the context to make access decisions) is critical, but IT needs tomake it easy for the LOBs to take ownership and become accountable. Audit, risk and compliance must be engaged aswell, driving requirements, measuring results and testing controls. That leads us to the concept of establishing businessprocesses within the organization with the involvement of LOBs, IT Security and Operations, Audit, Risk and Complianceteams, as illustrated in Figure 1. Access governance platforms enable organizations to take on the challenge of creatingthese business processes, simplifying management by making the business view of access role-based, automating accessdecisions based on policies and building proactive access compliance into the fabric of the organization. IT Security Enable the Business: Ensure Compliance Ownership & & Manage Risk Accountability Business Lines of Business Processes Audit, Risk & ComplianceFigure 1: Business processes for LOBs, IT Security, Audit, Risk & Compliance Aveksa Insights: Access Governance Overview 2
  • 6. The Journey – A Phased Approach The business process automation approach to access governance clearly has tremendous potential. But how do organizations put it into practice? Where do they start? How do they combine people, process and technology to chart a course for access governance nirvana? The answer to these questions lies in a phased strategy that delivers step-by-step results. It starts with getting visibility into the reality of access within the enterprise and establishing business ownership and accountability – it then shifts to developing higher level business abstractions to provide simplification and automation - and ends with creating a business self-service and access change management process that delivers both operational efficiency and built-in security and compliance policy management. Fig 2 below illustrates this roadmap and outlines the capabilities required at each stage of this access governance journey. VISIBILITY & POLICY ROLE REQUEST CERTIFICATION AUTOMATION MANAGEMENT MANAGEMENT Entitlement Role Access Collection Segregation Discovery Request of Duties and Definition Portal Entitlement Normalization Joiners, Role Policy-Based Movers, and Lifecycle Change Certification Leavers Management Management Maturity Figure 2: Access Governance Roadmap Phase 1: Visibility & Certification Having an accurate picture of the access reality of an organization is central to a sound access governance strategy. In the first phase, therefore, an organization should focus on two key capabilities. First, organizations need to focus on being able to deploy systems to automatically capture the reality of its user access – by collecting access (entitlement data), cleaning up the captured data, and obtaining a single unified and normalized view of that reality. This process delivers data cleanup, access visibility and full transparency. Second, organizations need to be able to transforms the technical view of access into a business view of access so that LOB managers become accountable for reviewing who has access to what and enable automated access certifications by the LOBs. Access certifications (Reviews) are a critical compliance control for most organizations and implementing an automated certification process is an excellent way to begin to shift ownership of access decisions to the business.3 Aveksa Insights: Access Governance Overview
  • 7. Phase 2: Policy ManagementWhile automated access certifications enable an organization to ensure that every important entitlement is examinedby a responsible person, the decision-making process is a manual one. The second phase in our access governanceroadmap is about capturing decision-making context and logic into a set of policies that are defined in terms of businessrules, so that an access governance platform can automate much of the decision-making. When the rules trigger, oneor more actions may be taken automatically. Organizations typically require the ability to define policies to detect andrespond to Segregation-of-Duties (SOD) violations, as well as to handle the events that occur when an employee joinsthe organization, moves around within it, or leaves the organization (Joiner-Mover-Leaver rules).Often, these rules are used to initiate a workflow process. For example, when a business rule designed to detect a newemployee is triggered, a multi-step joiner process can be started for the employee in question, to ensure that the newemployee has appropriate access rights.Note that SOD rules can be leveraged in both a detective mode as well as a preventive mode. When these rules areapplied to existing user-entitlements assignments, they can automatically detect existing policy violations – when theyare applied prior to assigning an entitlement to a user, they can prevent policy violations from occurring.In this access governance phase, organizations usually establish a process for defining and maintaining rules, evaluat-ing rules against entitlements, triaging the resulting violations, and establishing robust Joiner-Mover-Leaver businessprocesses.Phase 3: Role ManagementThe next phase of the access governance journey tackles roles, abstractions that have a huge potential to deliversimplification, but can be somewhat harder to define and maintain. Roles, as defined earlier in this document, arecoarse-grained entitlements that provide a bridge between users and entitlements, in order to achieve simplification.Well-defined roles serve as a vocabulary of access ; a vocabulary accepted by both business and IT. With roles in place, apre-approved framework of access ensures that managers assigning access, approving access or reviewing access rarelydeal with granular entitlements; they work at a more abstract level, thus reducing the number of interactions betweenpeople and software. That’s how roles deliver the desired simplification and efficiency.The burden of user access provisioning can be greatly reduced by factoring roles into the provisioning equation. Thisrequires that role membership for some roles be described using rules that are easily evaluated against the collectedidentity populations. All roles do not need membership rules, but bringing context about joiners, movers and leaversinto the role management process, can yield roles that help automate access provisioning and de-provisioning andsimplify JML processes.Thus, roles help an organization do one or both of the following:1. Give users access in an efficient way – which simplifies access provisioning2. Help review, validate or test user access in an efficient way – which simplifies compliance and risk management.There are two key challenges with roles – first, defining them so that they deliver optimum value in terms of efficiencyand simplification as described above and second, maintaining them to ensure that they continue to provide that businessvalue despite all the changes occurring in the organization. Aveksa Insights: Access Governance Overview 4
  • 8. Phase 4: Request Management An organization that has worked through the first three phases of the access governance roadmap has established both a business view of access and the abstractions to simplify and automate access management. The fourth and last phase of the access governance roadmap leverages this business view and these abstractions to provide a self-service access request front-end for the business and an auditable and policy compliant change management engine for IT on the backend. In this phase, an access change management process is put in place to that LOBs are fully enabled to invoke access requests without any knowledge of the infrastructure and details involved in servicing the requests. Further, policy-based compliance is embedded into the end-to-end change management process and the organization’s stance shifts from detective compliance to proactive compliance since access policies can be checked and enforced before access is granted. Conclusion The four phase roadmap discussed here is being used by organizations worldwide to make access governance operational. The approach has been leveraged with great success in multiple industry verticals, and has consistently delivered concrete business value. Thanks for reading this Insights overview of Access Governance. Additional documents in the Aveksa Insights series will provide further information on the four-phase pathway.5 Aveksa Insights: Access Governance Overview
  • 9. ABOUT AVEKSAAveksa provides the most comprehensive, enterprise-class, access governance, risk management andcompliance solution. Aveksa automates the on-boarding, change management, monitoring, reporting,certification and remediation of user entitlements and roles; enables role discovery and lifecycle management;and delivers unmatched visibility into the true state of user access rights. With Aveksa, business, security andcompliance teams can effectively collaborate and enforce accountability. Our growing customer base includesleading Global 2000 organizations in financial services, healthcare, retail, energy/utility, transportation andmanufacturing. For more information, go to THE AVEKSA ACCESS GOVERNANCE PLATFORMThe Aveksa Access Governance Platform is the industry’s first comprehensive solution for access governance,risk and compliance management which delivers unmatched visibility into the true state of user access rights.The Access Governance Platform is comprised of Aveksa Compliance Manager, which automates the monitor-ing, reporting, certification and remediation of user entitlements; Aveksa Role Manager, which enables rolediscovery, modeling and maintenance; and Aveksa Access Request and Change Manager, which combines abusiness-centric interface and an automated, streamlined request process with policy controls to ensure thataccess is always appropriate. Automating Access Governance 265 Winter Street | Waltham, MA 02451 | 781.487.7700 | © 2011 Aveksa Inc. All rights reserved. Aveksa, Aveksa product names, and the Aveksa logo are registered trademarks of Aveksa Inc. All other company and product names may be the subject of intellectual property rights reserved by third parties.