As mentioned in the Overview, organizations are driven by both security and compliance needs to obtain a clear and accurate picture of who has access to what in their organization, and to establish controls around this. Why? Because doing so is part of IT's core security responsibilities – keeping the bad guys out, and letting the good guys (employees, contractors, and partners) efficiently do their jobs.
Therefore, organizations must take active responsibility for ensuring that the right people have only appropriate access to computing resources. The Information Security (InfoSec) team is typically tasked with this – it's asked to meet the requirements defined by the internal Compliance team, across systems operated by IT, while serving and being responsive to business users. This is not an easy job, and has led to the creation of a part of the software industry called Access Governance.
This is the term that we (software vendors, industry analysts, and customers) use to describe the approach that organizations take to ensure that only the right people can access their critical applications and data, and that this is based on informed and reliable decisions, is defensible to auditors, and meets internal and external security guidelines.
Over the last 5 years at Aveksa, we've learned a lot about access governance from our customers, prospects, and partners, and have tried to distill this down into a simple approach, and a simple set of requirements. In general, we've seen customers approach their access governance programs in four phases:
Customers typically begin with Visibility & Certification, so they obtain a clear and accurate picture of who has access to what, at a fine-grained level. This means that they can collect identity, account, and entitlement data from a variety of applications, integrate it into a holistic view, and efficiently have supervisors certify that people who work for them have appropriate access.
Once that's in place, customers often next introduce access Policies, enabled by the holistic and accurate view of access obtained in the first phase. These policies can may be Segregation-of-Duties rules – which define who should or shouldn't be permitted to perform a certain action, based on the user's attributes, or on what other entitlements they currently have. Or, they may be rules about how to handle lifecycle events, when people Join or Leave the company, or change jobs (Move) within the company.
Role management is another step forward in maturity, with organizations looking to both discover (mine) roles from existing applications and systems, as well as to define and actively manage new roles. A role program can be a very effective way of simplifying the overall process of managing access, for line-of-business managers, application owners, and the Information Security team. For these reasons, many customers look to Roles as an important and valuable phase.
The Request Management phase is where organizations can put into place an end-user facing Access Request portal, providing an easy way for users to request access to internal systems. It's important that the access request process be connected to the preceding foundational elements, so that
To learn more about how Aveksa approaches Access Governance, please proceed to the How We Do It page
