I might be splitting hairs but access governance and access control are different animals...yet different animals that belong to the same species. I'm picturing a doberman dachsund mix, cute AND effective as a guard dog!
Most Identity & Access Management (IAM) projects seem to focus on one or the other and often end up with two products, one for access control and one providing access governance. But why wouldn't you want one solution providing both aspects of access, looking forward and looking backward.
EmpowerID's Role Based Access Control (RBAC) engine secures resources, manages roles and permissions, manages Separation of Duties (SOD), and has a powerfule multi-tier attestation capability. In addition to RBAC, EmpowerID also incorporates Attribute Based Access Control (ABAC) into its capabilities for finer grained permissions delivered at run-time. Temporary Privileged Access (TPA) helps keep your organization following the principle of least privilege.
That is access control. All of these permissions and roles are stored in the EmpowerID metadirectory and projected into other platforms (AD, UNIX) and applications (cloud and on-premise) to give a comprehensive access control platform for the entire enterprise.
And that is the key, it is stored centrally. All access control for all connected systems and applications. Sitting there in a comprehensive, scalable, secure metadirectory. And within that same platform that is controlling all of this access are the access governance workflows.
Access governance comes in two flavors: audit-driven and business-driven. Auditors usually want reports and stacks of paper detailing all of the SOD violations, the excess permissions, the compliance issues. Business owners want the same thing but also want the ability to effect the change immediately to remedy an issue.
EmpowerID gives a 360 degree view of permissions to address this (and actually, auditors appreciate this too!):
- Who is a member of a role and/or group
- What resources does that role and/or group have access to
- What users/roles/groups have access to a particular resource
So, you look at it from the user perspective, the role perspective, and the resource perspective. At any point, with the business-driven access governance approach, the business owner can correct an issue, authorize an exception, or delegate the action. EmpowerID's approval workflows can escalate anything and all of these actions are then reported for the audit-driven access governance.
The access governance is managed from within the exact same user interface as the access control which give a familiar look and feel and the workflows within a mouse click to fix them.
Access Governance and Access Control do not have to be separate. Provide the auditor the tools for access governance, but fix the access issues as they happen, not once an auditor finds them.