While identity governance is beginning to get more mainstream attention, companies are still struggling to understand what features and functionality fall under the identity governance umbrella. In last week’s Computer Technology Review, Jackie contributed an article, “Gaining Visibility and Control with Identity Governance: A Guide to Getting Started,” in an effort to help companies better understand the technology. The article includes a section outlining the basic capabilities that a comprehensive identity governance solution should have:
- Data aggregation and correlation: The starting point for identity governance is centralizing a company’s identity data. This process involves creating a single repository for user and access information by extracting data from the high-risk systems and applications, resolving any inconsistencies between the various data sources, and creating an enterprise-wide view.
- Automated access certifications: The solution should allow a company to perform automatic and regular review and validation of user access privileges across all critical resources to ensure that users have the appropriate access to perform their job responsibilities, reducing overall risk and chances of non-compliance.
- Policy enforcement: To be effective, an identity governance solution must identify and centrally manage access policy allowing business rules such as separation-of-duty policy to be enforced across all critical resources.
- Role lifecycle management: The solution should facilitate an automated creation of roles that align user access control with a user’s business or job function and lifecycle management of each role – from creation and modification to approval and, when necessary, retirement.
- Access request management: The most innovative identity governance solutions will enable managers and end users to conveniently request new access or make changes to existing access privileges within the constraints of a pre-defined identity policy and role model, and automate the approval and review process of such requests.
- Risk scoring and assessment: Evaluate how (or even if) the solution can quantify risks for users and resources across the IT environment and prioritize security and compliance efforts accordingly.
- Reporting and Analytics: To successfully integrate line of business managers in the governance process, a basic identity governance solution will use dashboards, reports, and ad-hoc query capabilities to improve oversight and provide evidence of the effectiveness of controls.
To help companies work through some of the complex issues and questions that are key to building a successful identity governance strategy – from understanding business needs to prioritizing the steps for an implementation to evaluating solutions – SailPoint created the Selecting the Right Identity Governance Solution. Our goal with both the buyer’s guide and the article is to help you get a handle on your specific business needs and determine how (or if) identity governance can help.