Governance, risk and compliance in Identity Management

Posted by Edward Killeen on Wed, Oct 17, 2012

Security and auditing are two of the main driving forces in Identity & Access Management (IAM).  Remember the definition of identity management: giving the right people access to the right resources at the right time.  But it's like Schrödinger's cat, both alive and dead until you observe and measure it.

governance risk compliance identity managementUntil you observe and measure your IAM practices and policies, you don't know if the right people have the right access.  And you don't know if the wrong people got the wrong access.  That is where auditing actually helps your business, not just satisfying a regulatory requirement.

Auditing and security is a mix of proactive design and reactive reporting.  You design your workflows in a way that ensures the right people have access, set up alerts for exceptions to these rights, and have a helpful reporting interface for your quarterly or yearly audits.  In our view, if you do the proactive part right, the reactive part becomes a rubber stamp.

We look at a few main categories for your proactive access control design:

  • RBAC & ABAC access control
  • Native system permissions inventory
  • Separation of Duties (SOD) policy
  • Attestation and access recertification
  • EmpowerID Operations audit log

By allowing a hybrid of role based access control (RBAC) and attribute based access control (ABAC), you can achieve a finer level of granularity around your access without role bloat.  Basically, any time a role needs a finer grain control, you add an attribute check from any connected system and access is only granted if the user is in the right role and has the right attribute.

Native tools are a problem in IAM.  If you can circumvent your identity management platform to change attributes, roles or access, what's the point?  EmpowerIDs will continuously inventory native systems, detect changes and report on changes in the native tool.  It can be configured to alert someone, roll it back or just report on it.

Separation of Duties is an oft-overlooked aspect of IAM.  Basically, there are mutually exclusive roles.  If you are allowed to sign a check, you should not be able to issue a PO.  If you are in the research department in a bank, you should not have access to the retail banking systems.  Again, report on it, set alerts or just plain not allow these conflicting roles or group memberships or access rights.

There are also many cases where users have the right access but should not have this access forever.  Attestation and access re-certification solves this.  You can have resource owners (role owner, group owner, app owner, compliance officer) periodically attest that this access is correct.  Even if this access is managed dynamically, you should still have periodic attestation.

All of these GRC factors are stored in an audit log.  But that doesn't do you any good unless there is a strong vehicle to present these actions and access to the appropriate business owner and/or auditor.  Having an online view, a powerful report generator, and most importantly, a method to take action on any red flags is key.

You want to know who made a change, when it was made, what tool was used, and who approved it.  These changes can be in multiple applications and a centralized metadirectory helps keep it all in one place.

Some of the largest most regulated corporations in the world use EmpowerID to solve these access problems, let us demonstrate how EmpowerID can work in your environment.

Click to schedule a Demonstration of GRC in IAM!

Tags: Identity and Access Management (IAM)