Am I Ready to Embark on a Role Management Effort?

Tweet

 

OK, this is a trick question; as of today, you really don’t have a choice. You need to have a role-based approach to access governance.  The real question is: “how much can you handle and how much automation can you afford.”  The days of debating whether or not to manage roles are long gone.

As I explained in a 2-part blog article last year, whether you want to admit it or not, you are already in the business of role or entitlement management.  You might be on the end of the spectrum where you manage access at a very granular level (entitlement level) and perhaps have no automation, but you are already doing something.  Or you might find yourself on the other end of the spectrum where your organization is not doing enough and is forced into a reactive mode when answering to two popular questions asked by you auditor(s):

1. Do you know what access a given user actually has?
2. Is this user’s access what it should be?

A few years back, answering the first question with an Identity and Access Management (IAM) initiative was like reaching the top of mount Everest, but nowadays, that’s only a partial achievement, you need to be confident that the user access is what it should be (and why).

Now, if you have been in IAM for appreciable time, you likely realize answering the first question is not trivial in and of itself.  You arrive at that question after you have implemented and maintained a reliable identity data repository (a directory, a meta-directory, database, etc.), kept up to date either by automated data updates from authoritative sources or by event driven changes.  And hopefully, you have automated the majority of these changes so the identity data quality is high.  This implies having deployed data synchronization, access request and provisioning technologies all working in unison to assemble and manage a single logical identity corresponding to an individual. All made possible by a reliable namespace and identification method.  And from this data source, you will be to tell what accesses a given user has, and actually believe it, and better yet, have your auditor rely on it for the basis of his/her assessment.

But now, in 2011, for a mid size organization, it is fairly common to manage access for several hundred users to over one hundred applications, which can be a combination of internally hosted applications, whether homegrown or 3^rd party; and SaaS or hosted applications.  For each application, you may have to manage perhaps ten individual entitlements or authorizations.  This means the scope of your access governance initiative could easily be north of 10,000 permutations – not trivial, and well beyond the abilities of spreadsheets and manual processes, So chances are, you are already in the process of implementing a role management framework or are seriously thinking about doing so.

So, how do I get started with this so I can make a dent?

Here are 8 suggestions:

1. Define your goals – before you start, identify what are the goals of your access governance initiative – streamline compliance reporting and access recertification, reduce time and cost to complete a user access review process, be able to better delegate authorization decision making to business owners, etc. It is important that your goals be well defined before you start so you can prioritize accordingly.
2. Be disciplined – Once you have your goals, you will need to identify and engage your access governance stakeholders, ensure they understand why they are involved and what is expected of them, how much of their time you anticipate needing, and develop a working model to solicit their input.  Ensure that your governance model is suited for your organization; otherwise it may lose steam and run out of momentum.  In a prior post, we made some suggestions for a practical approach to instituting an IAM governance model.  Your initiative will not succeed unless you have buy-in from the business stakeholders.
3. Divide and conquer – you cannot make a quantum leap to instituting an access governance framework, particularly if you already have some things in place that will need to continue to work.  Decide what is a feasible scope that can be completed in a first phase, which shows enough value to allow the initiative to gain momentum, and allow you to continue on to other phases.  Here are some recommendations I made in a prior article on how to prioritize and chew at in your role management strategy.
4. Define the processes – how are entitlements defined, grouped into role hierarchies, requested, assigned, and re-evaluated? You need to define the processes that will govern your initiative, and ensure that they are practical and can scale over time (delegate as pertinent). Remember in the end state, IT should not be in the business of approving all access; the appropriate business owner should be the one making that decision.
5. Classify and clean your data – beyond being able to uniquely map accounts to individuals across various systems, clean identity data will also mean having entitlements that are appropriately catalogued and prioritized.  Not all entitlements are created equal, and you need to ensure that you first focus on those that have a higher sensitivity.  As you catalogue entitlements, ensure the appropriate application owner is tasked with describing in plain English, what each entitlement means.  In steady state, you should require application owners to do this inventorying proactively with any new application, prior to the application being brought under governance.
6. Decide what and how much to automate – automation will certainly help, and in today’s environment one has to be smart about whether the work is suitable for humans or for computers. There are many choices of products in the access governance area, with many having reached a good level of maturity; such that you have many options that can be successful. Moreover, you also have choices for how you go about it: do you want a traditional, perpetual-license, SDLC model for implementing the solution?  Or do you prefer a managed service approach where a vendor will build and run the solution for you, whether on or off premise?  For certain aspects of your role management framework, you may consider a provider that can help you with your role mining and role engineering initial effort, and once that’s done, you can either implement your own role management solution in-house or use the same or another provider to do that for you.
7. Recalibrate periodically – fine tune your governance model, update the stakeholder list, review your business level role definitions and recertify entitlement and role assignments periodically.  This is not only a good practice, but also an essential control in most compliance approaches to ensure your program is effective. Retire or redefine outdated or obsolete roles, add new ones, ensure the overall number of roles at the highest levels (business or enterprise level) do not grow out of control.
8. Educate yourself – read relevant information, and as you do, ensure that vendor-biased information does not poison you. Join industry forums, talk to peers in your industry that may have done it, whether successfully or not, and also consult with your IAM consulting or advisory services provider.  I recommend education, even if your team has experience undertaking this kind of effort, since there is always something new to learn from partners or industry peers.

I hope these suggestions help you, and if they don’t, that you at least let me know.  I would love to be able to extend, fine tune and update these suggestions to come up with the most useful suggestions possible. Thanks in advance for your input.