By Dean Wiech
A decade ago, there was a solution niche called “user account provisioning” that helped organizations move away from manually managing user accounts in the network and email systems. This niche quickly morphed into identity management (IdM), which allowed organizations to connect other applications into automatic user lifecycle management, and added components to allow secure delegation of tasks that still needed to be processed manually. Additionally, some user self-service became prevalent with functionality such as password resets.
IdM rapidly gave way to Identity and Access Management (IAM), which added the capabilities to the user role or attribute-based access control. This allowed user’s rights and application roles to be managed and allocated automatically (based on pre-defined role maps), as well as the ability for employees or managers to request additional access, managed by a workflow approval process. Over the last few years, IAM has been transitioning into identity governance and administration (IGA). This latest iteration includes further capabilities, such as attestation and reconciliation – the ability for data and application owners to review employee’s access rights, correct as needed and certify to management the accuracy of the information.
The Components of IGA
Let’s take a quick look at some of the components or modules that make up a complete IGA system, while keeping in mind that the implementation can be accomplished in phases over time to ensure success at every stage.
The easiest component to implement is delegation to the helpdesk. Essentially, this replaces what is being done manually in the network and email systems with secure forms, ensuring consistency of naming conventions, storage allocations and assures that basic access rights are created appropriately. An added element of an IGA system is logging and auditing. All changes made via the delegation module are recorded as to the “who, what and when” and give a clear access trail for the annual IT audit, saving time and reducing discrepancies and human error.
The next step is to automate and reduce the load on the helpdesk. Many organizations bypass the delegation module and move right to automation, which is entirely understandable and feasible. During this stage, an authoritative source (usually the HR system) is linked via IGA to the network. As new users HR creates new users, they become automatically provisioned in the network. As the employee’s job changes, they are re-provisioned appropriately, and when they leave, access rights are terminated. At this stage, without an ABAC (attribute-based access control) or RBAC (role-based access control) matrix in place, only global rights can be set, and the balance must be manually assigned.
Access Control Options
This brings us to the third phase that presents two options:
Option one is to complete an RBAC or ABAC matrix and address the right to data and applications that are tied back to every job, title location, and role within the organization. While this provides the highest degree of accuracy and security, it can also be a time-consuming process, often taking six to 12 months to complete in its entirety.
The second option, which can be implemented quickly and concurrently, is self-service. Employees or managers request access and applications that are required for the employees to perform their work. Once the request is made, it’s processed for approval by the owners of the systems or data and, if approved, the changes are automatically committed to the systems. This option can also be issued in conjunction with the first to handle requests for special projects or temporary assignment for when an employee needs to cover for another on leave. Again, the main benefit to both of these options is the audit trail that is created and can be reported against. All changes to the network, applications or data access are fully trackable.
Attestation and Reconciliation
The final phase in IGA is the attestation and reconciliation component. This may also be implemented prior to the completion of the access governance matrix. In this stage, reports are generated on a periodic basis to the owners of applications, data shares, and Active Directory groups. These reports are also generated to managers within the organization. Reviews are done by evaluating who has access to what, whether that access is accurate or not, and certifying or attesting that it is correct. In the case of discrepancies, mangers can automatically process a revocation of rights for a particular employee or system. This ensures that no changes are made that go undetected.
Other components of IGA include self-service password reset and single sign-on (SSO). The first allows end users to securely reset their own network password by answering a series of challenge questions, much like a banking website. The SSO module allows a user to access a secure portal, from virtually any device, and gain access to all of their applications with a single click of the mouse or tap of the finger, without re-authenticating every time. Both of these solutions benefit the organization as they reduce calls to the help desk and ensure productivity of employees who no longer need to wait on hold for the helpdesk or remember multiple sets of credentials.
Modern IGA systems allow for a tremendous reduction in the workload of the helpdesk and IT staff by automating previously manual processes whenever and wherever possible. With web-based forms and workflows routing the appropriate person(s) for approval and commitment to the network, the IGA solution will ensure efficiency in an organization. The organization’s employees also will likely be very grateful when it is audit time.
Dean Wiech is managing director of Tools4ever.
- 17 Cybersecurity Podcasts You Should Listen to in 2020 - January 3, 2019
- What’s Changed: Gartner 2017 Magic Quadrant for Identity Governance and Administration (IGA) - January 28, 2018
- Crossmatch Integrates Keyboard Capture to Identity Management Software - November 27, 2017