gosphotodesign - Fotolia

Policies key to revolutionising Identity Governance and Administration

The proliferation of digital identities, applications, data, security threats and compliance requirements means that Identity Governance and Administration (IGA) has never been more important, but not all organisations are approaching it in an effective and efficient way

Identity Governance and Administration, or IGA, helps businesses to reduce costs by automating access-related tasks, increase security and reduce risk by heightening visibility and reducing inappropriate access, improve compliance, and to give users the access they need to do their jobs.

However, many organisations struggle with IGA processes, particularly around creating and managing roles, allocating and reviewing access entitlements, and dealing with access requests. As a result, IGA is failing to deliver full value to the business.

Starting in the right place is essential to IGA success

The main reason IGA is failing to deliver value is that many organisations are not implementing it correctly. They are not approaching it in a way that is aligned with IGA’s principle of policy-based centralised orchestration of user identity management and access control.

Many organisations are falling into the trap of starting by defining roles, and then assigning entitlements based on these artificially constructed roles. While this works in theory, in practice this leads only to a minefield of complexity that few organisations can manage.

Starting with policies is a much better approach. If policies are the foundation of IGA, then it will deliver the business value it is designed to deliver without all the unnecessary complexity associated with the role-based approach.

Policies are the logical place to start

In the context of IGA, a policy is essentially about who has access to what under what circumstances. For example, User A can print on printer 123, but only when working in the office.

The first step, then, is to define policies in way shown above. Next, group or cluster users with similar entitlements. For example, all those users who can print on printer 123, but only when working in the office.

In this way, roles can be derived from the freshly described policies. Finally, permissions or entitlements can be associated with the roles easily because they are already described in the policies. The entitlement in our example policy is “print on printer 123 when working in the office”.

Policies help address challenges around roles

A policy-based approach has several benefits:

  • Avoids creating complex, artificial roles.
  • Starts with policies that everyone can describe easily.
  • If organisations are pragmatic in clustering, they will be able to avoid a proliferation of roles.
  • Entitlements are easy to define correctly because they are contained in the policies.
  • Policies can be used to derive other policies such as access management polices and even firewall policies.

Deriving roles from policies also means that organisations can work with a 1-tier model for roles instead of complex multi-tier models that are commonly found in organisations today.

Policies, therefore, are the logical place to start because they contain all the essential elements of access management, which means that everything else can be derived from them. The added benefit of a policy-based approach is that as the technology matures, there will be increasing opportunities to use smart software tools to derive entitlements and even other policies automatically. 

Policies help address challenges around reviews

Access reviews are another significant challenge in IGA that a policy-based approach can help address. As mentioned above, a policy-based approach enables policy-based automation, which is extremely useful in reducing the number of reviews required.

Access is typically granted in two ways. First, in response to manual requests where individuals request particular entitlements, and second, automatically based on policy.

Where a policy-based approach to IGA is used, manual requests should be the exception and automated access can be the standard. This means that access can be granted automatically to the groups or clusters of users with similar requirements or characteristics. For example, Users at the same location or working in the same projects will all need access to a common set of resources. These access permissions can be granted and revoked automatically based on attributes such as location and project.

This simplifies the review process enormously because only entitlements made on an exceptional basis in response to manual requests need to be tracked and reviewed. For all other access that is automated, reviews are merely a matter of reviewing a handful of policies, rather than hundreds of individual entitlements.

Furthermore, simply changing a policy can achieve more than changing a role or single entitlement. This can help attain the goal of fewer changes, fewer reviews, fewer requests, and fewer approvals.

Essential processes for policy-based automation

Automation based on policies is strongly recommended as a way of improving and simplifying access reviews. However, for this to work properly, three key important processes need to be in place:

  1. A process for tracking which entitlements have been granted via policies and which have been granted in response to manual requests to ensure that all entitlements are covered either by policy review or individual entitlement review.
  2. A process in place for approving policies before they become active. This is to ensure that the translation of policy into concrete entitlements is correct.
  3. A process for retiring policies when they are no longer appropriate.

Manual reviews: a thing of the past?

In theory, if all manual requests can be eliminated and all access entitlements are done automatically based on polices that are well designed, approved, and managed and working correctly, manual access reviews will no longer necessary.

The fact that policies are already commonly used for things such as access management, and the fact that there is no audit standard requesting roles or static entitlements, means that most auditors are accustomed to polices and could well accept the elimination of manual reviews.

The likelihood that auditors will accept that organisations are meeting the requirement of common audit standards is even greater where organisations create, approve, manage and review policies in structured, well-defined, and well-documented processes. This position can be bolstered even further by adding good processes around identity information quality to ensure the data is always correct.

Although it is unclear how universally the elimination of manual reviews will be accepted by auditors, in the meantime, organisations should aim to achieve as much policy-based automation as possible. This approach will undoubtedly improve the quality of access reviews because there will be far less to do and therefore it will be much easier to do it correctly and efficiently.

Use policies to revolutionise your IGA processes

Adopt a policy-based approach to IGA to reduce the number of manual access requests, reduce the number of access approvals required, and reduce the complexity of access reviews.

While there are other things that can be done to simplify the access review process, such as introducing time-restricted entitlements, policies and automation are the first and most important step towards making IGA simpler as well as more efficient and effective.

Read more about identity and access management

Read more on Identity and access management products