Identity governance comes along after organizations have already begun implementing identity and access management (IAM) tools and processes. Because it comes later in the IAM project, you are forced to organize and establish a new order to a working environment. It also means you will have to pull some people out of their comfort zone to create a better process for the company.
This may be a challenge, and the disconnect can lead to project failures. A good communication plan, with a clear timeline and project goals, can help. But how can you avoid a project failure altogether?
From Nothing to State-of-the-Art
You may want to spearhead a legendary identity and access project. You demand that everything be perfect and aligned to best practices — and then you fail.
But you would probably be successful if you evolved at each step. Start with the core systems where fraud can drastically affect your company. Once you have established a framework to better understand the target system, collect and mine system roles. This allows you to establish access roles and apply all the changes to an environment to increase your odds of success.
Some Rules Aren’t Set in Stone
Most of the time, operating under the “need-to-know” rule of information security is the right call: Give people the minimum level of access they need to do their jobs. But with identity governance strategies, you probably need to be more flexible.
It is common to have a role that will fit multiple employees, which will likely grant some rights that an employee truly doesn’t need to have. You must find this normal. If you can’t do that, it is better to have individualized roles for each employee and assign access to only that one person.
A word of warning: If you are not flexible, you will work hard. I’ve seen companies with 3,000 users and 5,000 roles.
As you may have already discovered, you cannot do this project alone. Since the system in question is already working and integrated into existing IAM solutions, you have to operate as an organized society.
You will need to ask — and in some cases beg — to managed systems like your SAP to have access to their roles. This is like asking Gollum to hold his ring. So be careful in this interaction; explain you are not trying to take their precious but instead are helping them better manage access to the asset.
Think Practically for Identity Governance
I have noticed some failed strategies were doing well up to moment where you turn the key for daily operation. The roles were well-established, but the world is unstoppable. Organizational changes, as well as systems arriving and leaving, made excellent work disappear.
Even more than access review, when you check who has permissions, you should establish some cycle of role review to make sure that role makes sense for the organization and is still working from an information security standpoint. Don’t forget to nominate role owners to raise any relevant changes or questions to the information security team.
Build Toward Separation of Duties
Closer to the end of your implementation will be the holy grail: separation of duties (SoD). Most project goals include achieving this status, but sometimes we are so excited for it that preliminary tasks are forgotten. Don’t let the final goal break everything. Be patient and keep calm. SoD success depends on a very good access model implementation.
Look to the Future
The future of access modeling looks good. New initiatives such as user-managed access (UMA) were described by Gartner’s Hype Cycle for Identity and Access Management Technologies, 2015. According to UMA specifications, in the future, users will manage access by themselves by simply fulfilling requirements from target systems. In other words, the system has minimum requirements that users must meet to gain access.
Imagine a world without roles — or imagine a world where the expansion of cognitive computing provides a way for a computer to evaluate access and roles. Future technologies may help you, but you’ll need some kind of workaround for today.
Keep It Simple
Identity governance tools should be used to help you to achieve your goal — not to explore all possible product features. Most of the time, the features available don’t fit all your needs. However, some people believe they need to have everything working. If your roles are stable, you won’t need all these capabilities.
This should be your project vision: Keep it as simple as possible. Fewer roles lead to better management and operations. If some systems at your company are secondary, leave it for a second phase or keep it out of your scope.
Fabio R. Sobiecki de Sales, CISSP, CCSP, CDPSE
Published on July/2016.
Originally published on Security Intelligence