Governance Risk and Compliance or GRC has been adopted as the naming reference to identify access governance applications, however in practice, it is a strategy comprised of interrelated processes aimed at achieving efficient oversight of an organization from a compliance and controls perspective. The convergence of organizational governance, risk management, internal control, performance activities benchmarking and compliance management defines the interlocking business processes aligned to ‘GRC’. These interdependent activities form a holistic, integrated approach aimed at performance improvement, control efficiency and cost reduction. Each process aligned to the GRC strategy process should work towards adopting common terminology, approaches and, technology enablement to optimize efficiency and effectiveness across the enterprise.
Staying compliant requires a lot of effort to maintain. Especially when people are continually changing jobs, working on special projects or leave your organization. The ability to review who has access to what data and where potential regulated data resides, along with the ability to conduct required security audits and implement continuous controls has never been more important.
Where do Identity Governance and Access Governance fit into GRC?
Identity and access governance applications serve as tools for technology enablement within an organization’s GRC strategy. As an organization’s appraoch to GRC advances, automation of tasks, activiites and processes becomes imperative to the overall success, agility and return on investment of the GRC strategy’s evolution.
How does Identity Governance differ from Access Governance?
Identity governance solutions are focused on managing the full scope of the identity lifecycle leveraging a top-down approach, controling who has the right access to the right applications or data source. Access governance solutions take a top-down approach to supporting GRC strategies, with close alignment to limiting access risk at a fine-grain entitlement level for end users and technical support support resources. Further granularity provided by access governance solutions often include utilization analytic overlays, supporting ‘can do/did do’ SoD analysis and role design right-sizing initiatives. Both applications support strong business and IT-facing use cases, while the pairing of the two solutions provides a complete, 360-degree view of an organization’s risk and controls landscape while providing significant technology enablement of the company’s overarching GRC strategy.
Just like with a Privilege Access Management (PAM) solution, these two approaches should not be run seperately in silos but integrated at the data, process and strategy levels. A good example of this includes performing a an SoD and sensitve risk analysis prior to an access request, thereby giving an organiazation the tools and visibilityto limit provisioned risk and apply necessary controls as a part of the integrated request workflow.
How does Identity Governance differ from Access Governance?
The combination of SailPoint and industry leading access governance solutions provides a best-in-class approach to secure identities and enabling compliance. The combination of SailPoint and such leading governance solutions including FastPath, SAP GRC Access Controls, GreenLight and Soterion, deliver a unified view across all applications and data, including granular policy administration for access control monitoring to ERP systems.
Integrating identity governance and access governance applications provide enhanced visibility and management of system entitlements. By leveraging an object-based role composition and robust segregation-of-duties, organizations can better identify and manage access risk efficiently and effectively.
Integration Use Cases:
- Import third party access governance polices as SailPoint ‘Advanced Policy’ objects
- Proactive querying of access governance applications for advanced risk analysis during access requests
- Scheduled SoD analysis and mitigating controls assignment and performance for existing conflicts by querying access governance applications
See the following capability comparisons between identity governance and access governance applications:
|Capabilities||Identity Governance||Access Governance|
|Provisioning/Automated Lifecycle Management||Streamline the onboarding and off-boarding process with best practice configurations and policy-based automated workflows|
|Self-Service Access Requests/Approvals||Empower users with a self-service process to request and manage access to resources|
|Password Management||Provide users an easy, intuitive way to change or reset passwords themselves while enforcing strong password policies across all applications and systems|
|Separation of Duty (SoD)||Enforce critical risk and compliance controls with policies that expose toxic combinations of access across multiple systems and applications|
|Access Certification||Maintain compliance and ensure audit-readiness by reviewing user access|
|Primary User Interface||Utilize a single pane of glass for visibility and control across both SAP and non-SAP applications/data while also leveraging your existing SAP GRC investments|
|Cloud and Data Access Governance||Gain a comprehensive view of access to all resources including applications, data including multi-cloud infrastructure|
|Identity Analytics||Anticipate user access needs, identify risky behavior, achieve continuous compliance, and adapt and automate security policies|
|Preventative Risk Analysis||Provides coarse-grain preventative risk analysis with configurable business rules||Leverage access request data from SailPoint to provide immediate fine-grain risk analysis leveraging existing access rulesets and mitigating control assignment|
|Object-level Visibility||View and govern the composition of complex access objects and monitor ERP access model changes|
|Control Consideration||Provides the capability to develop a library of mitigating controls that can be associated with your risk ruleset to provide a complete picture of how access and identity risk are actively managed in your user access control environment|
|Configuration Tracking||Provide detailed tracking of key configuration changes within SAP and Oracle, which can have significant impact on access and identity risk|
|Risk Quantification||Leverage SAP transaction data to quantify the financial exposure of segregation of duties conflicts in your SAP environment, giving a value to your risk conflicts for advanced decision making|
|Utilization||Use advanced T-Code utilization reports to identify the specific SAP functionality utilized by end users. This detailed reporting also assists with role design processes to follow the principle of least privilege.|
|Firefighter||Allow emergency access provisioning to either occur immediately with a pre-approved methodology or follow a traditional request path while providing control to monitor, review and approve the access and associated activities performed|
You might also be interested in:
Find out how SailPoint can help your organization.