The sheer number of users, identities, devices, data, applications and environments within enterprises makes managing user permissions and access while maintaining compliance a unique challenge. This increasingly complex organizational ecosystem makes an identity governance framework necessary to uphold compliance and minimize the risk of a breach.
What is an Identity Governance Framework?
An identity governance framework is the structure or plan your organization can follow to centralize governance across the disparate systems you use for identities, entitlements, privileged accounts, applications and data.
It is the collaboration space where people, process and technology come together to review and manage who has access to your IT systems, resources and assets. The framework provides the foundation for the Identity Governance and Administration (IGA) capabilities needed to govern access across your environment.
Here’s a simple example: at home, your whole family has access to your video and music streaming services, downloaded videogames, and so on. However, your younger children’s access can be restricted; they don’t get to view PG-13 and unsuitable content on any of your services. It’s hard enough to get that right without upsetting our home “users,” so imagine scaling that problem up to thousands of employees with a complex set of IT systems and access methods. Controlling who has access to what can become incredibly complex, and that’s where an identity governance framework comes in.
Identity and access governance frameworks are software platforms and services that allow you to control who has access to what resources. They provide a centralized collaboration point for IT administrators, employees and security staff who come together to make coherent, consistent, well-defined and audited decisions about who should have access within the environment.
Identity governance is a critical part of an organization’s cybersecurity strategy because it allows you to centrally manage all user access, in both cloud and on-premises environments.
What is Its Purpose?
Overall, identity governance and administration frameworks are an IT security function that serves the business. IT security keeps the business safe by protecting the organization’s information, assets and people. Identity governance frameworks put security measures in place that protect those resources from cyberattacks and threat actors. Additionally, these frameworks enable organizations to optimize their onboarding processes and evolve rapidly into new markets and regions. The goal is to help everyone get the right access quickly so that they can be ready and productive on day one.
How Does It Work?
If you look into an operating identity governance framework you will see a combination of automated and manual human interactions. The automated processes are driven by pre-defined policies and learned policies. Policies can be learned based on machine learning once the framework has observed data sets and behaviors over time. These kinds of statistical computations provide insights, spotlight abnormalities and make recommendations and suggestions to human users who are interacting with the framework. Overall, the framework automates as much of the identity and access governance tasks as possible but leaves important decisions about approvals and access to human IT admins.
For example, say a user works in the marketing department, but also has access to the HR system. That’s not normal; they probably don’t need that access. Identity governance frameworks spotlight that abnormality and alert managers who can make an official decision about whether or not that additional HR access is needed.
Why is it Important?
Giving full access to every user in your organization would be a disaster. You can’t have IT systems with sensitive information available to just anyone—think about data such as employee health care information or payroll information. To keep your organization safe, you need to ensure that users have the appropriate level of access to do their jobs – no more, no less. Over time it is critical that access levels converge to the “right” level. A well-designed and mature identity governance framework makes this “Entitlement Right Sizing” a natural progression and provides standard workflows, analytics and intelligence to ensure this happens.
Identity governance frameworks reduce users’ permissions to their minimum, to a least privileged level. This means they can still do their job but are not contributing to a larger attack surface for threat actors. The fewer entitlements a user has, the less a hacker can do to the organization with their account if it gets infiltrated or compromised. This simple step greatly improves your levels of breach resiliency.
What are the Benefits of an Identity Governance Framework?
There are a number of benefits that identity governance frameworks provide for businesses:
- Reduces Operational Costs: When IT administrators have to grant access to assets manually, it can become very costly to maintain a team large enough to handle all access requests. Automating a large percentage of the process can free up manpower to be used elsewhere in the company. Additionally, if you close down identities that aren’t being used anymore, the company won’t have to pay for them. It’s a no brainer!
- Reduces Risk and Strengthens Security: Humans are also error prone, especially when they have to hurry to keep up with vast numbers of requests. Administrators could easily grant users too much or not enough access, which will either create friction within the organization or elevate users’ security risk levels. Again, automation can save the day. Since identity governance frameworks alert IT admins to abnormalities in user behavior, discrepancies can quickly be addressed.
- Improves Compliance and Audit Performance: The framework’s ability to bring systems under governance through pre-established and ever-improving policies allows you to assure auditors that you’ve got control of your most critical business systems.
- Delivers Fast, Efficient Access to the Business: Identity governance frameworks offer automation, enhanced user experiences and spotlighting of insights that allow IT administrators to quickly make decisions about access. These capabilities speed up access, making it quicker and easier to fulfill these duties.
What are Best Practices to Implement This Framework?
There are a few tactics you can use when articulating the importance of identity governance to your business constituencies:
- Understand your business’ problems and how an identity governance framework can assist with those problems.
- Recruit project managers who understand identity governance requirements. They’ll be the ones who are going to pick the work that is going to take you on a successful path and make sure everyone on the team knows what they need to do. They’ll also be responsible for promoting the framework to different departments within the company. Let me give you an example of how a good project manager can turn around an identity governance project. At a large retail organization, the stakeholders were not happy with progress. Milestones were being missed…and so on. The fix was to send an experienced project manager who forced a refocusing on core goals and trimmed the scope creep that was stifling progress. Sounds obvious but in the cut and thrust you need an experienced and skilled project manager who knows when and how to say “no!”
- Highlight that the framework exists to serve the interests of the organization: What’s important to your organization? Is it security? Operational efficiency? Here’s an example: we discovered during one project initiation that Cybersecurity Insurance has become a topic at board level. The budget started to flow once we framed the identity governance benefits in terms of satisfying prerequisites for that insurance coverage. So, identify what the framework’s drivers should be and revolve the identity governance framework rollout around that.
- Expand your purpose beyond IT security. Promote how the framework will benefit multiple departments, such as HR, logistics, tech, etc. The framework needs to appeal to the business as a whole in order to get funding for the program.
Implementation Mistakes to Avoid
One of the big mistakes people make when trying to implement an identity governance framework is positioning it as a purely IT-related program. By promoting the program as a way to enhance both security and operational efficiency it makes it easier to get the resources needed for implementation.
Another mistake is not being strategic about where the identity governance framework is introduced within a large company. To avoid this mistake, think back to what part of your program pitch resonated most with the stakeholders? Was it:
- Security: If security is most important, think about what your most high-risk application is or what the most high-value system you’re running is. Once you’ve identified those applications and systems, begin your rollout by bringing them under governance. You’ll reduce risk, increase security and other departments will quickly be asking you to onboard and work with their apps, systems and so on.
- Operational Efficiency: If your primary goal for your identity governance framework is to keep your organization running as smoothly as possible, begin your rollout with the applications that are the most popular among your coworkers and customers. Once you make it easy for people to get access to those applications, you’ll have a backlog of requests that will keep you very busy into the future!
Sometimes we see the case where the governance program team shies away from engaging stakeholders to promote change. A symptom of this is attempting to re-create the same user experience and processes as existing tools and practices. An identity governance program needs to focus on advancing the business drivers that led to its inception, and this often requires promoting and articulating the value of change. Finding that balance between change and keeping the business on-side is part of the art of identity management.
While keeping a focus on the business drivers is key to success for your identity governance program it is not true, as is sometimes heard, that “the technology does not matter”. A judicious choice of identity governance framework is key to project success, particularly around native support for emerging facets of access governance such as cloud entitlement governance, application governance, data governance and privileged access governance. The ability of the governance framework to organically provide these capabilities gives the project team the flexibility to fit around business priorities and leads to more value for the business. The available form factors in which the technology is offered may also be an important selection criterion for you.
Identity and Access Governance Within an Organization’s Full Security Posture
In the same way that identity governance is being asked to take on more business-critical roles, to react and deploy faster and be easier to use, we are also increasingly being asked to integrate more closely into the rest of the IT security landscape. This goal here is to prevent the emergence of a siloed IT security stance, which exposes organizations to security weaknesses in the form of gaps between systems. By integrating your identity governance framework with the rest of your organization’s security systems, you will be alerted if an identity is compromised across your organization. This allows you to close it out before it can enter other areas instead of relying on one system’s local defenses to contain it. That kind of end-to-end security connects signals across endpoints, applications, database directories and the whole menagerie of things that you have to protect across your organization. Remember, you are up against increasingly sophisticated cybercriminals. If you leave gaps, those intent on exploiting gaps in your IT security will find them!
The end goal is an identity governance framework that exchanges data and signals with all other systems within your environment, creating a central hub for identity visibility and management. This becomes a policy definition and information point where you can define and enforce centralized access governance and security policies. This is why Identity Governance and Administration must be included as a core work stream in the overall IT security program of any organization.