The reasons for starting an Access Governance project are almost never of a technological nature: the drivers are normally to satisfy internal or external audit demands and the need to comply with binding norms and regulations.
Unlike “Identity Management” projects, the objectives and scope of applications/systems that one wishes to “govern” is much wider. Our experience teaches us that a success factor is to be able to achieve quickly significant results.
An “Access Governance” project typically consists of a set of 6 points, divided into four phases:
- Assessment of applications and relative entitlements, to understand “who can do what”
- Implementation of a periodic access review process; monitoring and control of existing entitlements
- Implementation of an access request process, for requesting new entitlements
- Implementation of controls and mechanisms to remove inappropriate access
- Implementation of role-based entitlements, to simplify understanding of what is being requested or requires authorization
- Risk management, definition of SoD rules, automated control processes and mitigation
The Customer does not necessarily have to face all of the above steps at once. Using standard methodologies, we will assess the degree of maturity of the Customer’s “Governance Model”, identifying the current “as-is” level of maturity and an appropriate roadmap to achieve a higher maturity level, based on the Customer’s needs and objectives.
The “Access Governance” system will be able to:
- Provide visibility of who can do what on various applications, in terms of: systems, accounts, and entitlements (through scheduled data uploads from target systems)
- Produce (as-is and historical) reports on access rights and changes
- Provide a tool for managing authorization assignments and revocation
- Perform Role Mining, based on the discovery of existing entitlements and assignments
- Define risk matrices and policies that will determine conflicts or impacts during assignments
- Implement automatic mechanisms for change requests on: users, accounts, and applications.