Audit and ComplianceIn working with some of our clients recently, I have engaged in discussions with them concerning their Identity and Access Management (IAM) strategies in light of compliance and risk mitigation, and the topic of Access Governance has been front and center of the discussion. Since this is a timely and relevant issue for many organizations, I feel compelled to share my point of view.

As organizations of all sizes aggressively adopt more cloud applications, their ability to effectively manage access to these applications and to prevent sensitive information from leaking diminishes. The organization’s scope of access governance increases and becomes more complex without sufficient time to plan, test, integrate or automate security controls consistently across on-premise or cloud-based systems and applications. Furthermore, adoption of cloud applications is accelerating, often taking place completely outside of the organization’s IT security group’s purview.

 The authorization and access control models in some cloud applications are lax, allowing end users to basically determine how information assets are shared and with whom.  This increases the risk of sensitive information being compromised or being accessed by the wrong person with little visibility or control.

Additionally, many SaaS vendors are small organizations that, in many cases, lack the maturity in information security to provide appropriate assurances to their customers their security practices and controls can prevent or help their customers quickly recover from unauthorized access or data loss.

So how do companies get a grip on this problem?  How can you achieve effective access governance in the cloud age?  I view this as similar to the issue of water drainage in construction: water will always find the path of least resistance, so rather than fight against the water flow, you are better off redirecting it so that your structure is not damaged.

What do we mean by Access Governance?

The goal of access governance is to provide appropriate access to the right information to the right people at the right time, while at the same time gaining visibility into what access people have. 

In our definition, access governance can be implemented using an IAM infrastructure, although IAM’s scope is greater than just access governance.

To be effective at mitigating risks, an access governance solution must provide the most restrictive level of accesses needed by a user to perform a specific task.  We refer to this as the “least privilege” principle.

Given the relevance and criticality of regulatory compliance and risk mitigation, access governance is an essential component of a modern IAM solution, through which organizations can:

  • Gain visibility into who has access to what information assets; which is essential in demonstrating and maintaining compliance and supporting audit process on an on-going basis.
  • Carry out an access recertification process to periodically assure the access granted to users is still the right level of access they should have, which enhances the organization’s security posture.
  • Detect, and potentially prevent, conflicting access rights granted to the same user (i.e. segregation of duty [SOD] conflicts) based on defined business and access rules (i.e. SOD rules).
  • Streamline administration of access to users, thus reducing overhead costs, potential for human error or inadvertent access assignment.

What is involved in Access Governance?

Without going into technical details, an access governance solution should provide:Access Governance

  1. A clear definition of risk levels, such that information assets can be classified in accordance to the organization’s data classification policy.
  2. A mechanism or methodology for how risk levels for systems and applications should be assessed and catalogued on an on-going basis.
  3. Access policies and procedures governing how access rights are granted and revoked, along with a mechanism to enforce these policies and procedures.
  4. Mechanisms to enforce access control (authentication and authorization) as the user interacts with the application or system.
  5. Tools to report and reconcile what access has been granted to a user against the access the user actually has in a given system or application, along with mechanisms or procedures for resolving any discrepancies or conflicts found.

In part 2 of this 3-part article, we will define the scope of access governance and unique challenges relating to bringing cloud applications under governance.

Managed IAM

Frank Villavicencio

Frank Villavicencio