Access Governance: Managing the Who and What of Data Access Rights in a Timely Fashion

analytics-925379_1280Dean-wiech-tumbBy Dean Wiech

Over the past decade, many organizations have, or at least attempted to, implement access governance (AG) applications within their organizations. During a recent presentation to a group of 70 IT managers, one individual mentioned he actually had attempted three separate times to get a system operational. Let’s take a quick look at what AG should do for an organization and how to successfully get a system operation the first time.

I prefer to define AG as the effective, transparent and verifiable manner, in which authorizations are built, managed and maintained. Basically, this means that the network users – employees, consultants, outside vendors, etc. – have the correct access rights to the applications and data which they need to perform their work – nothing more and nothing less. If users have more rights than they require, there is a large potential that they could be accessing sensitive data and put the organization at risk if this data were to become readily available. Too few rights can lead to periods of non-productivity as they may not be able to access a system needed to perform their job on a daily basis or for a special project.

Accomplishing the above may seem simple but can be a daunting task in a company where there are hundreds or thousands of unique roles. Most organizations have something in place already, which can be a good starting point. Typically processes like “copy user,” templates, spreadsheets and databases are utilized to determine what access rights a user should have based on their title, department, location and so forth. This is an ideal starting point for quickly building up the access governance database.

This first phase, the utilization of templates, spreadsheets and manual procedures can be employed to automate up to 25 percent of the entitlements. In the second phase, role mining, application management personnel and managers can provide data that will get the organization to approximately 75 percent of access rights being processed automatically. Getting to 100 percent will involve evaluation of feedback from the attestation process and analysis of changes made via the helpdesk.

In the early stages of implementation, the attestation and recertification process is critical. This is because of the fact that only up to 25 percent of the authorizations are being implemented by the model. The other 75 percent to 100 percent require review and revision by managers. At this stage, audit results are dramatically improved, but data and access security still require further work. The result at the end of the implementation is complete visibility into the access rights both by employee and by system.

Inevitably, there will be some components that still need to be accomplished in a manual fashion. A user will need access to an application for a special project or because their job has changed slightly. To effectively manage these types of requests, web-based workflow portals can be utilized. An end user visits the portal and makes a request for the system for which they need access. Their manager approves or denies the request and it is either committed to the network or flows to another individual for further approvals. This request can be made on a permanent basis or for a specific period of time. If an expiration date is set, the user and manager can be notified prior to the cessation for review and, if warranted, an extension can be made. In either case, the additional access would be revoked should the person’s job title or department change.

One of the main benefits of automating the processes of access governance are the end results. Companies can gain complete insight into who has access to what and even further, when the access was granted. Reconciliation can be utilized to ensure that access creep – compounding of access rights over time – does not occur. If something is different than the “norm” for a role, it can be revoked in a timely fashion. Attestation is a further process where systems owners and managers review access by users and by system and “attest” that the access is proper. Once again, if discrepancies are discovered, appropriate actions are taken to remedy the situation.

By using what an organization has in place currently and developing the AG dataset over time, implementation can occur much quicker, and start showing tangible benefits in a few weeks or months rather than a few years.

Dean Wiech is managing director of Tools4ever (, a global provider of identity and access governance solutions.

Check out these additional resources: 

Jeff Edwards
Follow Jeff