In this chapter
- Understand how identity governance is addressing the challenges of complex threats, diverse workers, cloud computing, and unstructured data
Table of Contents
- Identity Moves to the Center of Security
- The Power of Identity Governance
- Identity Governance in Action
- Identity Governance and the Cloud
- Building your Strategic Roadmap
- Selecting the Right Partners
In the previous chapter, we looked at how changes in the way we work have created major new challenges for identity governance. In this chapter, we examine how identity governance technologies and processes are meeting those challenges.
Adopt User-Centric Security
Most organizations employ a network-centric or an application-centric approach to cybersecurity. That is, they start by asking, “How can we defend each network segment,” or “How can we defend each application?” They then rely on tools like firewalls, intrusion prevention systems (IPSs), and security information and event management (SIEM) systems to detect and block attacks on the individual network segments and applications.
Unfortunately, many of these organizations look at managing identities as an afterthought. They don’t invest enough time and effort in critical tasks such as:
- Analyzing who actually needs to access each net.work segment or application, and who has permissions they don’t need
- Identifying orphan accounts and SoD violations
- Providing business context to determine whether jamesjones, jjones, jim.jones, and jjsalesmgr are four different people, one person who accesses four resources, or something in between
- Deciding which identities are high risk (because they have access to sensitive information or applications covered by regulations and compliance standards)
Orphan accounts are accounts associated with people who have left the organization. SoD policies prevent one person from performing multiple acts to perpetrate a fraud (e.g., creating a phony vendor account and then issuing checks to it).
In contrast, organizations that use identity governance to take a user-centric approach to security are able to:
- Remove unnecessary permissions and accounts before they can be exploited by cybercriminals and hackers
- Ensure that SoD and other identity-related controls are in place and enforced
- Correlate identity information with identity attacks (e.g., notice that jjones, jim.jones, and jjsalesmgr tried to log on to different applications at the same time from three different locations)
- Provide extra monitoring and controls for high-risk identities
Organizations that take a user-centric approach to cybersecurity don’t ignore firewalls, IPSs, SIEMs, and other proven security tools. However, they start by thinking about how to obtain and use accurate identity information, and how this information can strengthen all aspects of security.
To take a user-centric approach to security, start by answering three questions: (1) Who has access today? (catalog existing users and resources to determine who is currently using what to do their jobs), (2) Who should have access? (model who should have access to resources and data based on their needs and organizational policy), and (3) How is that access being used? (monitor and audit to identify suspicious activities and to continually improve the access model).
Connect to Everything
Identity-related information includes data about computer system users, accounts, groups, permissions, and entitlements. It also includes details about computing resources such as applications, network segments, databases, and sometimes documents and files.
An enterprise-grade identity governance solution connects to every application and system in the IT environment, both those in on-premises data centers and those hosted in the cloud.
Directories, applications, and other identity repositories
In most organizations, HR systems and enterprise directories like Microsoft Active Directory are the systems of record for employee identity information such as names, contact information, titles, roles, reporting relationships, organizational units, and major system accounts.
However, HR systems and directories contain only a subset of identity information within the organization. Most people have accounts, permissions, and credentials for multiple applications and devices. These might include email and collaborative tools, financial and other enterprise applications, professional and line-of-business applications, and computers and other devices owned by the business and by the individual.
An identity governance solution should be able to connect to every directory, application, and other repository of identity information so that it can create a complete, highly granular picture of the permissions available to each individual.
Cloud applications and platforms
As more corporate and collaborative applications move to the cloud, identity governance solutions are adding capabilities that allow them to connect to cloud-based applications, just as they have connected to on-premises applications. Key cloud applications include:
- Business applications provided by SaaS vendors (e.g., Salesforce, Workday, Atlassian JIRA)
- Email and collaboration solutions (e.g., Microsoft Office 365, Google G Suite, Slack, HipChat)
- Commercial and “home-grown” applications running on cloud platforms such as Amazon Web Services (AWS) and Google Cloud Platform.
Some advanced identity governance solutions are now able to connect to applications and repositories that hold unstructured data, including:
- Local file servers and network attached storage (NAS) systems)
- On-premises email and collaboration applications, such as Microsoft Exchange and SharePoint
- Online file storage applications, such as Microsoft OneDrive, Box, Dropbox, and Google Drive.
There are several important standards in the identity management field that support interoperability. These include the Lightweight Directory Access Protocol (LDAP) for accessing and connecting directories, the Security Assertion Markup Language (SAML) for exchanging authentication and authorization data, and the System for Cross-domain Identity Management (SCIM) for sharing information about user attributes, group memberships, and provisioning actions.
Identity governance solutions can give organizations a single view into all identity-related information in the IT environment.
Information about users and resources
An identity governance solution can provide comprehensive visibility into information about users, their devices, the accounts they use, the resources they access, and the permissions they have been granted.
If you can answer the question, “Who has access to what?” in a comprehensive way, you can perform tasks such as:
- Revoking entitlements that are rarely or never used
- Eliminating unnecessary entitlements by asking the administrators or “owners” of applications and resources to specify who actually needs access
- Comparing users with similar roles and responsibilities to pinpoint those who have excessive permissions
These activities will help you remove unnecessary entitlements that could be used by attackers, and also pass compliance audits.
Data about requesting access and creating accounts
Identity governance is also about processes. An effective identity governance solution will monitor events related to requesting, approving, revoking, and certifying access rights and creating user accounts.
If you have detailed data on events generated by these processes, you can:
- Analyze whether permissions are being requested, approved, and revoked by the right people
- Determine if users are granted permissions quickly, so they can become productive, and if unnecessary permissions and orphan accounts are being revoked promptly to reduce risks
- Flag suspicious activities, such as creating new admin accounts (a favorite tactic of hackers), or requesting access to systems a particular user shouldn’t need
- Determine if entitlement certifications are being performed according to policy, and whether they are being performed conscientiously or in an inattentive, perfunctory manner
- Look for ways to streamline request, approval, and revocation processes
Make sure your identity governance solution has visibility into events that are generated outside approved processes. For example, it could create alerts when application owners create new user accounts without going through the normal request and approval process. But the system should also be able to manage exceptions. For instance, you might have a policy that only members of the HR department can access the payroll application. You might make an exception for a small office where the local administrator manages personnel. In that case, your identity governance solution should flag the exception, record why it was approved, and enforce reviews more often than typically required.
The best identity governance solutions empower employees and managers to perform identity-related activities quickly and easily. The key is replacing complex spreadsheets and confusing user interfaces with intuitive interfaces and work.flows that match real business processes.
Employees want to minimize the wait time between request.ing and receiving access to resources. Identity governance tools can automatically provision access to new employees, streamline request and approval workflows for existing employees, and in some cases eliminate wait times entirely by giving users access to self-service interfaces.
Identity governance products offer features to speed up work.flows and avoid bottlenecks. Options can include allowing multiple approvers to be contacted in parallel (rather than serially), allowing approvers to delegate their role when they are busy, and flagging approvers who do not respond to requests within a pre-determined time. Have someone in your organization learn and configure these options, because they save a lot of employee time and avoid frustration.
Employee education is critical, including training on how to use the tools and workflows provided by your identity governance solution. It also includes education on security practices. For example, all employees should be trained on the importance of password hygiene such as creating strong, unique passwords and resetting them on a regular basis. You also need to plan how you are going to reinforce the education by offering refresher courses on the identity governance tools, and by routinely testing and enforcing compliance with password policies.
Business managers and resource owners
Businesses are complex. Jobs are complex. IT can’t realistically be expected to understand all the details of organizational structures and roles, or all the resources and permissions needed to perform jobs. In contrast, business managers and resource owners1 should understand their organizations and how jobs are done.
Well-designed identity governance solutions empower business managers and resource owners to participate in the process of defining access policies and modeling roles. They enable this participation by providing interfaces that use non-technical terminology and common business concepts.
The same principle applies to certification processes, which have been a sore point for years in many organizations. Most managers, when presented with baffling technical questions, respond by approving 100 percent of existing entitlements (“How the heck should I know if Francis really needs access to \\Shares\Corp?”). Well-designed identity governance solutions provide intuitive interfaces that allow business managers to play an active role in pruning unnecessary permissions.
Identity governance solutions can help automate IT controls and give confidence to the IT organization that corporate policies are being enforced. For example, data supplied by an identity governance solution can be used to:
- Automate and accelerate time-consuming processes
- Eliminate orphan accounts and unnecessary permissions
- Find and resolve violations of SoD policies
- Implement extra controls and monitoring for high-risk accounts and users
- Streamline access requests and certification processes
Saving $1 million+ annually at Rockwell
Rockwell Automation faced a serious challenge when trying to improve its processes for requesting and granting access to computing resources. At least 25 different processes could trigger requests. In 20 core applications alone there were more than 8,000 requestable entitlements and more than 1,000 requestable roles. A staff of 23 contractors was needed to process 82,000 requests each year. Many new employees were unable to work while waiting for their requests to be fulfilled.
An advanced identity governance solution helped Rockwell Automation achieve its objectives of:
- Automating user provisioning
- Streamlining regulatory compliance
- Providing better visibility into the access assigned to identities
The results included handling 75 percent of the access requests automatically, many through self-service; reassigning most of the contractors to other tasks; and onboarding new employees faster. Savings exceeded $1 million annually. Additional benefits included improving the certification process and revoking permissions much faster when employees left the company.
Strengthen Other Security Technologies
Identity governance solutions can improve the effectiveness of other security technologies. For example:
- Integration with privileged account management (PAM) products improves your ability to monitor privileged user accounts and prevent insider attacks.
- Integration with mobile device management (MDM) products allows you to provision approved apps to mobile devices, control what software can be installed there, require employees to use multi-factor authentication when accessing corporate resources, and even protect data by lock.ing or wiping devices when they are lost or stolen.
- Integration with SIEM systems helps analysts “connect the dots” and separate real attacks from false alerts by correlating identity data across devices and applications, as well as between cloud and on-premises environments.
- Integration with data loss prevention (DLP) software can allow you to enforce very granular policies about what information and documents can be disseminated outside the organization or uploaded to public cloud storage services.
Protecting project breakthrough
Consider this scenario.
Charlie is working on a three-month contract at Company X to document the new engineering design system. He finds projectbreakthrough.docx, a file describing a major innovation. Charlie thinks it might be nice to FTP this file to his server at home.
Before the file reaches the firewall, the DLP software at Company X detects the text string “break.through” and recognizes that the file may contain confidential intellectual property. Because the DLP software and the identity governance solution are integrated, the DLP system knows that (a) Charlie is a contractor, and (b) contractors do not have permission to send files containing confidential information outside of the corporate network.
Depending on Company X’s policy, the DLP software and identity governance solution might take any or all of the following actions:
- Send a warning email to Charlie
- Send a warning email to the security operations center (SOC)
- Block the file transfer
- Suspend Charlie’s accounts
One of the big pushes in the identity governance world is to add identity analytics capabilities to identity governance solutions. This means giving analysts and administrators tools to slice and dice identity data so they can answer questions like:
- Which employees and temporary insiders have the most access rights and the most privileged entitlements?
- Who has substantially more accounts and per.missions than others with the same roles and responsibilities?
- Who has permissions that violate SoD policies?
- Are some people approving their own access requests, or bypassing approved provisioning processes (for example, administrators who create new accounts directly in applications)?
- Which business units have the most privileged accounts and the most orphan accounts?
- How long does it take to revoke permissions when an employee or contractor leaves the organization, and how comprehensive is that process (e.g., does it extend to mobile devices and cloud applications)?
This type of analysis highlights risks, such as individuals with excessive entitlements that they might someday abuse, or that could be used by a hacker who stole their credentials. It can also suggest where and how identity management processes need to be improved.
- Resource owners are administrators and analysts responsible for configuring and managing specific applications, as well as computing services such as email, file shares and networks.
You might also be interested in:
Find out how SailPoint can help your organization.