If you read Chapter One of Identity and Access Management for the Real World, you learned of a proposed “maturity model” for IAM. Just to summarize, I likened your IAM journey to Maslow’s Hierarchy of Human Needs with the pinnacle being governance.
Until access, security, control, and management are taken care of, governance is a near impossibility. That’s why the governance chapter of IAM for the Real World follows the access management chapter. If you are struggling to manage access, you will REALLY struggle to achieve governance.
So what is identity governance?
There are all kinds of technical and jargon-laden definitions, but I like to describe it this way: Governance is making sure you do things right. So from an identity governance standpoint it means making sure that the right people, have the right access, to the right stuff, in the right way, with all the other right people saying that it is OK that it’s happening that way.
And then there’s what should be governed. There are three major categories where identity and access governance (IAG) come into play, and no project is complete if all three are not addressed.
End user access to applications
End user access to data
Administrator access to privileged accounts
But it gets hard when you start to consider what all of those rights actually mean in your real world. And it gets really hard when you have to define right over and over again, for the same people but on different systems or for different access scenarios. All of a sudden right might not be quite so right. And when governance is an afterthought – tacked on after the fact – it becomes just another area of additional complexity, raising costs, and potential failure. On the other hand if your access management tasks are performed with a governance mindset, and with governance-enabled tools, the journey up the pyramid is simple and painless. Watch this video on how line-of-business personnel can actually be at the front lines of governance through attestation/recertification.
Put in simple terms, if provisioning is done without an eye towards governance or governance is imposed on an existing and flawed provisioning implementation, you’re in for a bumpy ride. And if your access governance solution can’t cover data and/or privileged accounts, that’s just one more layer of technology and one more solution that must be deployed, supported, and paid for.
So governance for the real world considers all the rights that are in play across all access types, all user populations, and all systems. And it is tightly coupled with the foundation for everything – provisioning. Watch this video to learn more about provisioning and governance. Here’s a short video on the Dell One Identity approach to identity governance
To learn more about this real-world approach to governance, download and read Identity and Access Management for the Real World: Identity Governance.