Fundamentally, organizations need visibility and control of who has access to which applications and data in their enterprise. Specifically, they need to ensure that each user's ability to connect to applications, perform activities within those applications, and access corporate data is appropriate to their job function, and doesn't violate any policies. This collection of abilities, referred to as each users' entitlements, is of concern to both the user (so he or she can get their job done effectively), the application owner (ensuring that the user doesn't inadvertently or maliciously cause any harm), and the internal & external auditors (wanting reassurance that proper IT controls are in place).
Driven both by security and compliance needs, organizations increasingly recognize the need to obtain a unified view of each user's access across the enterprise, and to build a set of management and reporting processes on top of this. Organizations typically reach this conclusion that this is the only sensible way to achieve the goals.
However, doing so is not easy – there are a number of challenges, and a number of different audiences whose requirements must be simultaneously met.
Challenges
Organizations, even those with a relatively modest number of users, often find their access governance approaches stymied by the sheer number of entitlements to be collected, validated, and managed. For instance, an organization with just 5,000 users could easily have several million fine-grained entitlements, which is clearly far too many to be handled manually
In addition to struggling with the sheer number of entitlements to be managed, InfoSec teams are often unable to easily connect with the sheer variety and number of applications, data resources, and platforms for which user access must be managed
Today's organizations are constantly shifting, as employees Join or Leave the company, Move between roles, and as contingent workers come and go. At the same time that InfoSec is trying to manage these changes, the IT infrastructure is continually undergoing changes, and the set of compliance & security requirements are also changing.
It's no wonder that in so many organizations, the Information Security team struggles to meet the needs of all their key stakeholders -- Business Users & Managers, the Audit, Risk & Compliance team, and IT.
The way to meet these challenges is through a discipline called Access Governance. Click here to learn more about it.
