Access Governance is the process of monitoring and controlling who within your organization has access to what, when and how. However, this is easier defined than done. It is easy to confuse access governance with access management, when, in fact, the former’s scope extends beyond merely managing access rights. It defines security processes and policies that can impact an enterprise’s management of data assets.
The growing recognition of the need for access governance can be attributed to multiple factors:
a) Increasingly complex regulations that demand strict adherence
b) The escalating scale and frequency of cyber attacks
c) A recognition of the high risk that disgruntled employees, ex-employees, or simply, careless employees, pose
d) The burgeoning adoption of cloud, which, alongside the scalability and flexibility it promises, also poses a concern on how to monitor which employee has the access what data, using which device.
Today’s intricate regulations make compliance an essential consideration as well. Being able to track, audit, and control what individual employees have access to, reduce misuse, while providing the data trail required for auditsand compliance requirements.
An access governance system governs access rights in multiple ways, by:
- Assigning employees with specific rights to access only what they need to fulfill their job roles and responsibilities, efficiently and in a secure manner
- Aggregating data on user accounts that has access to different applications, databases, data centers, network devices, etc., to offer a single, unified, and easy-to-manage view into access rights and accounts on all systems.
- Implementing strong security controls, and mitigating risks by addressing:
o Privilege creep: when an employee’s job role and hence, responsibilities, change, but he continues to retain old access rights that he does not need anymore, in addition to new access rights
o Stale accounts: accounts that stay alive even after the employee leaves the organization
o Orphan accounts: accounts that do not seem to belong to anyone—they maybe attached to ex-employees or vendors
Deploying an access governance system offers a number of benefits.
It provides a comprehensive view of roles and privileges within each department of the organization, leading to clarity within and about each function. This results in deep insight into how access is used across the organization by different users. An access governance system offers easy-to-understand dashboards that allow business managers a high-level overview, facilitating quick customer response. It enables the regulation and control of access in an efficient, systematic, and continuous manner. An access governance system also positively impacts the certification process. Certification and recertification requirements are reduced and users can be certified on an ad-hoc basis, as required, at any point in time. Furthermore, an access governance system facilitates collaborative and analytics-based decision-making, based on the data aggregated across users and departments.
When deploying an access governance system, keep the following in mind:
- The ideal system should have an easy-to-use interface that provides business users a high-level overview of access rights, as well as details of how these tie into user roles and responsibilities.
- Focus on unstructured data. Most of the data floating around an organization, today, is of the unorganized and unstructured variety. This data doesn’t necessarily exist in a single place that can be accessed in a straightforward manner through a created account (think about the distributed file systems that enterprises use, for instance). Unstructured data tend to be ignored—despite constituting an overwhelming percentage of organizational data—by solutions that focus on controlling access to applications and not the data themselves. Lack of control across these platforms exposes the organization to significant risk.
- View access governance as a business initiative. The moment it is seen as yet another IT initiative with no business context built in, the system is being set up for lack of accountability. For instance, an IT team can grant access based on requests from business, but without a business context as to why that particular access is needed, IT will be unable to take an informed call on the level of access appropriate for that particular role.
- Involve your compliance team when setting up access governance solutions and measures. Their collaboration and inputs are essential for to tick all the right regulatory compliance boxes.
- Setting up access governance policies and processes is only the beginning. More critical is the need to ensure that none of the policies are violated, increasing risk.
- Move the solution towards maturity in incremental steps, by implementing identity audits, access controls and certifications, automated provisioning, compliance reporting and self-service access requests.
- If an identity management system is already in place, ensure that the access governance system integrates seamlessly with it, and they work together to offer a robust security framework.
- The ideal access governance solution should be scalable and future-ready, supporting a wide range of platforms and technologies, and capable of integrating new technologies and tools.
Just like any other security solution, the best access governance systems are not those that are implemented rapidly and then allowed to run uninterrupted. Rather, implementation should be an iterative process that is continually tweaked as policies evolve and visibility into user roles and responsibilities improve. Monitoring regulations continuously and the compliance policies and processes the enterprise has in place minimizes exposure to risk. In this context, automation is key to managing access-related risks in accordance with regulations. Automation helps mitigate risks by remediating issues that arise around access in a timely and efficient fashion.
Prasenjit is a former Happiest Mind and this content was created and published during his tenure.