From identity and access solutions to access governance; by Mike Small CEng, FBCS, CITP.
Over the past decade, there has been a tsunami of identity and access management technology. However, many organisations have not realised the benefits because they have taken a technology-led approach rather than one based on governance.
The need to identify users, control what they can access and audit their activities is fundamental to information security. Over the past decade, there has been a tsunami of identity and access management technology designed to provide a solution to these needs. However, many organisations have not realised the benefits expected from the application of this technology, because they have taken a technology-led approach rather than one based on governance. In addition, the move to outsourcing and the cloud means that technology and some processes are no longer under direct control.
What Is governance?
According to ISACA, a global association of 100,000 IT governance, security and assurance professionals, governance “ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.” While management “plans, builds, runs and monitors activities in alignment with the direction of the governance body”, according to ISACA’s definition, governance sets the policies, procedures, practices and organizational structures that ensure the execution of strategic goals. Identity and access governance sets the framework within which identity and access technology and processes are implemented. By shifting the focus to control rather than execution, governance is also the ideal approach to manage identity and access in an outsourced environment like the cloud.
Governance?
Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple ad hoc approaches to compliance and risk management. Identity and access governance ensures, in a consistent and efficient manner, that only authorised people have access to their confidential and regulated data. The governance process leads the organisation to evaluate risks in terms of their likelihood and business impact, and then to decide on the best approach to manage those risks. For example, choosing how to authenticate individuals accessing a system is a trade-off between the risk of impersonation, the value of the information and cost of the different authentication technologies. Where the impact, in terms of losses, would be high, it may make sense to choose a stronger (and more expensive) form of authentication than a user-name and password. Where the impact is low, a cheaper but less effective authentication process may be more appropriate. Governance provides a way to make this kind of decision effectively and consistently.
Objectives
The objectives of identity and access governance are to manage risk and ensure compliance in consistent, efficient and effective manner. These objectives are:
•Availability—Business data and applications are available when and where they are needed.
•Integrity—Data can only be manipulated in ways that are authorised.
•Confidentiality—Data can be accessed only by authorised individuals and cannot be passed to other individuals who are not authorised.
•Privacy—Privacy laws and regulations must be observed.
•Accountability—It should be possible to hold people, organisations and systems accountable for the actions that they perform.
•Transparency—Systems and activities can be audited.
Access process
Access governance is not just about implementing access governance tools instead of provisioning tools; it is about implementing governance processes. The governance process is composed of three major phases. The initial phase is to understand the business needs and obtain approval for a plan of action. A key objective of this initial phase is to get executive sponsorship, which is critical to the success of any identity and access project. The second phase is to define the organisational needs and to produce a set of metrics and controls. The third phase is to monitor the controls and manage divergence. Governance requires well-described processes, guidelines and books of rules.
Who Is responsible?
The responsibilities for identity and access lay with the lines of business, the owners of data and applications, and IT management. The actual division of responsibilities will vary among organisations, and the following provides an illustration.
•The owners of data and applications services are responsible for classifying the sensitivity of data.
•The lines of business managers are responsible for defining what access individuals within their organisation should have to the applications and data.
•The HR department, in conjunction with line management, is responsible for performing background checks on new employees, initiating the on-boarding processes that give the access to IT systems, and initiating the off-boarding processes that remove access rights for employees leaving the organisation.
•IT management is responsible for ensuring that the identity and access infrastructure is installed, configured and functioning correctly.
•The legal department is responsible for setting up legal agreements to identity federation with partner and supplier organisations as required by corporate management or line of business owners.
•Lines of business owners are also responsible for the control of access to systems by external users such as customers and partners.
Monitoring and Control
In order to govern identity and access, there needs to be a set of measures against which performance can be judged. It is important that the performance at the IT process level can be related back to the strategic business requirements. For example, if a strategic goal of an organisation is to comply with EU privacy legislation, then it needs to process the personally identifiable data that it holds within legally defined parameters. The identity and access processes necessary to meet these requirements include:
•The organisation needs to know what relevant data it holds and to classify this data accordingly.
•Identity management processes need to correctly manage the user’s lifecycle in a timely manner.
•The access management process needs to control which users have access to information. It also needs to ensure that users with privileged access do not make unauthorised access to data.
•Processes must be in place to monitor and review which users have access rights to the personal data and which users have actually made access.
Conclusion
Managing who can access what is fundamental to information security and to compliance with laws and regulations. Experience has shown that a technology-led approach to this is not effective; what is needed is good governance rather than more technology. One way to attain this is by adopting a holistic governance and management framework such as COBIT 5. A full report on how to move to access governance is available from KuppingerCole.
About the author
Mike Small is a member of the London Chapter of ISACA, a fellow of the BCS, and an analyst at KuppingerCole. Until 2009, Mike worked for CA where he developed CA’s identity and access management product strategy. He is a speaker at IT security events around EMEA. He will be speaking at the ISACA EuroCACs/ ISRM conference, on September 10 to 12 2012, in Munich. On the subject of identity and access solutions, access governance, ensuring business continuity in the cloud and avoiding lock-in in the cloud. Register at http://www.isaca.org/Education/Conferences/Pages/European-CACS-ISRM-Europe-2012.aspx.
