The need to identify users, control what they can access and audit their activities is fundamental to information security. Over the past decade, there has been a tsunami of identity and access management technology designed to provide a solution to these needs. However, many organizations have not realized the benefits expected from the application of this technology, because they have taken a technology-led approach rather than one based on governance. In addition, the move to outsourcing and the cloud means that technology and some processes are no longer under direct control.
What is governance?
According to ISACA, governance “ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”
While management “plans, builds, runs and monitors activities in alignment with the direction of the governance body”, according to ISACA’s definition, governance sets the policies, procedures, practices and organizational structures that ensure the execution of strategic goals. Identity and access governance sets the framework within which identity and access technology and processes are implemented. By shifting the focus to control rather than execution, governance is also the ideal approach to manage identity and access in an outsourced environment like the cloud.
Why does governance matter?
Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple ad hoc approaches to compliance and risk management. Identity and access governance ensures, in a consistent and efficient manner, that only authorized people have access to their confidential and regulated data.
The governance process leads the organization to evaluate risks in terms of their likelihood and business impact, and then to decide on the best approach to manage those risks. For example, choosing how to authenticate individuals accessing a system is a trade-off between the risk of impersonation, the value of the information and cost of the different authentication technologies. Where the impact, in terms of losses, would be high, it may make sense to choose a stronger (and more expensive) form of authentication than a username and password. Where the impact is low, a cheaper but less effective authentication process may be more appropriate. Governance provides a way to make this kind of decision effectively and consistently.
The objectives of access governance
The objectives of identity and access governance are to manage risk and ensure compliance in consistent, efficient and effective manner. These objectives are:
- Availability—Business data and applications are available when and where they are needed.
- Integrity—Data can only be manipulated in ways that are authorized.
- Confidentiality—Data can be accessed only by authorized individuals and cannot be passed to other individuals who are not authorized.
- Privacy—Privacy laws and regulations must be observed.
- Accountability—It should be possible to hold people, organizations and systems accountable for the actions that they perform.
- Transparency—Systems and activities can be audited.
Access governance process
Access governance is not just about implementing access governance tools instead of provisioning tools; it is about implementing governance processes. The governance process is composed of three major phases. The initial phase is to understand the business needs and obtain approval for a plan of action. A key objective of this initial phase is to get executive sponsorship, which is critical to the success of any identity and access project. The second phase is to define the organizational needs and to produce a set of metrics and controls. The third phase is to monitor the controls and manage divergence. Governance requires well-described processes, guidelines and books of rules.
Who is responsible?
The responsibilities for identity and access lay with the lines of business, the owners of data and applications, and IT management. The actual division of responsibilities will vary among organizations, and the following provides an illustration.
- The owners of data and applications services are responsible for classifying the sensitivity of data.
- The lines of business managers are responsible for defining what access individuals within their organization should have to the applications and data.
- The HR department, in conjunction with line management, is responsible for performing background checks on new employees, initiating the on-boarding processes that give the access to IT systems, and initiating the off-boarding processes that remove access rights for employees leaving the organization.
- IT management is responsible for ensuring that the identity and access infrastructure is installed, configured and functioning correctly.
- The legal department is responsible for setting up legal agreements to identity federation with partner and supplier organizations as required by corporate management or line of business owners.
- Lines of business owners are also responsible for the control of access to systems by external users such as customers and partners.
Monitoring and control
In order to govern identity and access, there needs to be a set of measures against which performance can be judged. It is important that the performance at the IT process level can be related back to the strategic business requirements. For example, if a strategic goal of an organization is to comply with EU privacy legislation, then it needs to process the personally identifiable data that it holds within legally defined parameters. The identity and access processes necessary to meet these requirements include:
- The organization needs to know what relevant data it holds and to classify this data accordingly.
- Identity management processes need to correctly manage the user’s lifecycle in a timely manner.
- The access management process needs to control which users have access to information. It also needs to ensure that users with privileged access do not make unauthorized access to data.
- Processes must be in place to monitor and review which users have access rights to the personal data and which users have actually made access.
Managing who can access what is fundamental to information security and to compliance with laws and regulations. Experience has shown that a technology-led approach to this is not effective; what is needed is good governance rather than more technology. One way to attain this is by adopting a holistic governance and management framework such as COBIT 5.