| | December 20189CIOReviewMANAGING USER ACCESS AND IDENTITY FOR BETTER SECURITYreview or adjust them for years. Manual processes are not effective. To succeed, business leaders need to understand and acknowledge that identity management is a business problem, IT can't solve it alone. There are plenty of tools that can help, but they don't solve the problem with broken processes and lack of business involvement.So what the steps to creating Identity Governance Administration program that works?- Focus on what is important to the business. Not everything connects to everything. Many times, complex customization is required. Thus, not everything can be automated. Find the biggest risk or biggest pain point. We are often driven by quick results to address business risk or compliance problem; accounts provisioning and termination, amount of time and resources to perform Segregation of Duties (SoD) review to name a few. Risk, dependencies, and cost of automation should be evaluated before moving forward with your project. Ask business leaders what their pain points are. Successful IGA requires buy-in across all business units and management support- Get the processes corrected. Deficiencies in original processes carried over and automated will not produce expected results. IGA is not about end-to-end automation but about efficiency and consistent business processes. These can differ across applications or lines of business. That is okay. Iron out the process, the tool can help automate and produce a consistent outcome- Business participation is crucial. The entitlement and onboarding should be driven by Human Resources. Different processes have to be built for internal vs. external identities. Contractor and vendor accounts pose the highest risk and usually have weakest processes. The HR, contingent workforce and vendor management groups should serve as a source of truth for identity entitlement. Access to system or application should be designed based on business functions or roles. System, data or application business owners are the one who determines a level of entitlement. Automating controls helps alleviate rubber stamping entitlement approval and certification nightmare. Regular entitlements should be achieved with role-based or policy-based access. Any emergency, contingent worker, and temporary access should be handled through access approval workflow- Start small. Full IGA is hard to implement ­ most vendors overpromise. Small wins help to drive the program, but lack of consistency and regular success creates business fatigue. So, start with small wins. Focus on most risky and critical accounts/applications. Deal with individuals first, then investigate groups and leave service accounts for last. Access entitlement and provisioning, user roles and policy management can get complex. Start with one application or business unit. Access certification can help with regulatory and compliance. Don't underestimate ­ many components may have dependencies that need to be evaluated. Existing bad processes is what breaks most IGA implementations. Additionally, any tools involved user must be frictionless, reduce existing pain points or they won't matter- Look outside of IGA for compliments and small wins to support your IAM program. For example, Self-Service Password Management in many cases is a standalone product, has little or no dependency but can be a big win from user acceptance. If properly implemented, it allows users to take full control over managing password reset and account lockouts without calling services desk. Privileged Access Management is an IAM discipline on its own, but many vendors provide discovery tools that can aid in learning what you have in your environment. If you have a very large and complex environment, this can help with an inventory of your universeSolving Identity and Access Management problem is a long journey. It requires vision, planning, and business support. Start with the latter to pave the pass to successful implementation.
< Page 8 | Page 10 >