Have you ever had to respond to this simple question: “who has access to this file”? It seems easy, doesn’t it? Reporting who has access to a given file or application and who had it in the past couldn’t be that hard?
Well. Here is the truth: It’s hard!
If you haven’t experienced it for yourself, you’ll have to trust my 20+ years of experience. Or, you can always go and try asking your friendly IT admin the following question:
“If we need to get information on who has access to those files and who had it in the past, how would you do it?”.
After reading this, I encourage you to try it out in your organization.
Be prepared for a long talk on where all the systems come short and how dispersed the information is. This is a real problem!
Well, for every issue there is solution: in this case, it’s called Identity and Access Governance (IAG).
Sounds complicated? It doesn’t have to be.
In this article I will:
- brief you on what access governance is and where it applies in practice;
- show you 5 examples of practical IAG processes; and
- provide you with additional materials for further reading on the subject.
Identity and Access Governance: Why all the fuss?
You’ve just entered the realm of Identity and Access Governance (IAG for short).
Besides being a fancy acronym to stick on your resume, it is also a professional domain that provides solutions to the real identity challenges that you might be facing today.
What kind of issues does it solve in practical terms?
Let’s face it. Look at a group in your Active Directory or Office 365 and ask yourself:
- Why are all these people there and who put them there?
- Are these folks in the right groups?
- What resources is this group granted access to? Are we sure about the access grants?
Studies show that about 90% of cyber-security breaches are caused by a human error (source: Willis Towers Watson research). In most cases IT team members are not involved, we are talking about non-tech employees. Considering that roughly 70% of employees don’t even have a basic understanding of cyber-security best practices, you don’t want to take the risk of over-provisioning access to employees, right?
It’s easy to create a group. But, the moment you create one, you lose control of how other people will use it.
You may have created a group to manage access to this particular workspace but someone else might use it for different purposes.
Actually, you will never be able to tell where it is used. You only control its intended use and intended members. This is were access governance can help you.
Here’s the thing: you are not the first nor the last person with this problem. This is a common problem in many organizations.
Without burdening you with the gory details, let’s take a look at how IAG process and tools solve the problem of providing clear visibility into access granted for users, and how they help to establish the process to keep it in check for the future.
Note: I will be using Omada Identity Suite as a tool of choice, however, the same principles apply to other products in this space. You can read about these processes in a tool-agnostic format in the IdentityPROCESS+ guide provided as a free download on Omada’s website, or in my previous article: Omada Enables Advanced Governance Control In Microsoft Azure.
Ready for a practical explanation of the IAG process? Let’s start! Identity and Access Governance showcased in 5 easy steps!
STEP #1: Onboarding: Make it right from the start.
It all starts with onboarding. HR creates a new employee and then what? Typically, there is a bunch of requests to for this person to be granted access to all the systems. Access requests are based on organizational knowledge: people know what to request or request the same access as their colleagues.
Requests are placed in the ticketing system. Tickets are fulfilled by IT / Helpdesk departments. It takes time!
Now, how is this different with an IAG process in place:
- Hiring a person triggers an onboarding process.
- The onboarding process is routed to a person closest to a new hire from a business perspective, e.g. his/her manager.
- Basic access rights are granted automatically.
- Additional access rights are requested for the user by the manager during the onboarding process.
In this short video, I illustrate what the onboarding process looks like in the Omada IAG tool.
Quick win: correct access from day one. With all appropriate assignment policies predefined, the new identity automatically gets access to basic rights with minimal effort from IT, HR and the hiring manager. Additional access rights are requested on the spot by the manager during onboarding.
STEP #2: Access. It is all about access!
Over time, as users progress through their employment, they might need more access to systems. Their job will change, and they will onboard new tasks.
We need to ensure the following:
- Users can request additional access to business applications.
- Managers and systems owners can approve or deny access.
- Access is being provisioned automatically for the user, or it’s routed to be provisioned.
- The user has clear visibility into the process and its current stage.
This is a typical process of access requests and approvals within the organization, implemented as part of access governance.
Quick win: The user has a clear path to request additional access. New access rights are approved with a clear process. Once approved, there are no unnecessary delays in the provisioning of new access rights. All decisions are audited and documented.
Granting is easy. But what if you need to block access for the specific user quickly? You can use emergency lockout to revoke access temporarily, then wait for the situation to resolve for the full de-provisioning process to kick-in.
STEP #3: It is all about compliance: using your Compliance Dashboard’s magic power.
With processes in place to manage access to systems, you gain one, very important superpower: visibility!
It’s now visible what permissions are granted to which systems, which were requested/approved and which of those are just there with no clear indication of why.
This is our state of compliance. With all access rights gathered in a single place, regardless of their state, we can take a look at where we are. It might take the form of a Compliance Dashboard.
A one-stop-shop to get an overview of your organization’s access landscape. Green is what we want; all the other colors are what we have at the beginning.
Quick win: A single place to visually assess the current state of access rights within an organization. Visual controls to indicate whether we are in right place (green is our target state) or how far off we are.
But, there is a lot of color other than green in this dashboard. Let’s look at how to fix it.
STEP #4: Attestation made easy! How to get to know what you have?
Let’s face it. The majority of us will start in the state of unknown (all but green on our dashboard). We know that these permissions are there. We know people have granted access rights. We don’t know why and whether they should keep it.
Once you have a window into your current status, you can use it as a starting point to make it right. In terms of access governance, it is called the attestation process. Simply stated:
- Start with the current state. Define what you want to review.
- Start a survey to business owners (managers) or system owners. Ask them if the access permissions are in place as they should be.
- Gather responses and process them in the system.
- Provision or de-provision permissions based on the responses.
Instead of trying to figure out from one central point if permissions are correct, you can distribute this task to multiple people with better business perspective. The sum of these tasks is your compliance state.
Here is a short video on how this process looks, implemented in the Omada IAG tool.
Quick win: With tools and processes in place, you can quickly assess the current state of permissions and gain control of the system. You can also repeat this process regularly or asses specific permissions in case they don’t look to be correct.
STEP #5: All you need is in the reports!
With all of the above, you can finally start answering the questions “who has access to this file?”. Access governance processes with the right tools ensure that all actions such as
- Identity onboarding and offboarding;
- Application and data access granted and approval process;
- Additional access requests;
- Emergency lockouts;
- Attestation process and decisions;
are stored in an audit database and are ready for you to review. Typically, each of such solutions comes with a canned set of reports, ways to create more if needed, or data export functionality to external systems.
Quick win: Built-in reporting and auditing capabilities make it easy to address common audit and compliance requests. You can answer questions about current access, point-in-time access rights and historical changes. Even if the employee is no longer with your company and s/he gone from your HR system, you still can review that person’s permissions.
Quite a journey. These 5 practical cases do not fully cover access governance topics. There is so much more to cover. There are different actors and stakeholders in each of the processes.
There are tasks related to the management of your role and permission models. There are applications and system owners and different variations of approval processes.
As I tried to demonstrate, access governance doesn’t have to be a complicated process–with the right tool!
Instead of wondering who manages access to a given resource, you get a clear and easy way to discover a catalog of all access available for you.
IT or compliance people don’t have to try to figure out what a given person does in their job in advance. The onboarding process makes it easy for a new employee’s direct manager to grant all necessary permissions.
And finally, instead of time-consuming approaches to building reports around existing access, we have a clear attestation process with full audit records stored in the audit database.
If you want to read more on the subject, Omada’s IdentityPROCESS+ guide is a good start to understanding all these areas and what is required in your organization.
In fact, this might be a great start for your career as an IAG professional. Or maybe just a journey to make your organization safer, easier to manage, with fewer troubles to answer the simple question: “who has access to this file?”.