After IT landscapes began to become more complex and the requirement to assign authorisations increased, identity management solutions were developed and introduced. These systems were and still are focused on the administration of users and their rights.
Due to the ever-increasing threat situation and the associated stricter regulations, simple administration solutions are no longer sufficient in many cases. Auditors and accountants demand an insight into the allocation of user authorisations that they can understand. This is where modern identity governance solutions can help.
- What is Identity Governance?
Almost all security regulations require organisations to answer the following three questions regarding the management of users and their authorisations:
– Who has access to the IT resources?
– What can they do there?
– How can I prove this – especially to auditors?
While the first two questions can be answered by a conventional identity administration solution, providing proof of the authorisations assigned and the associated processes is often a major challenge. In addition, there is the requirement to present identities and authorisations in a way that is understandable for the specialist departments, which is usually only fulfilled by identity governance solutions. In this respect, these solutions answer all three of the above questions in a comprehensible form.
The task of identity administration solutions is to manage identities by mapping the „user life cycle“ in the organisation. Identity governance, on the other hand, is intended to provide proof that users have the „right“ rights based on the organisation’s guidelines. Both are components of identity management and are often referred to together as identity governance and administration.
- Reasons for Identity Governance
There are several reasons why identity governance has become important and is becoming increasingly important. Firstly, more and more user groups (employees, partners, customers, etc.) are accessing an increasingly complex IT environment via more and more access points (mobile, cloud). Secondly, and this is likely to be the decisive factor, the increasing threat situation has led to the introduction of ever stricter compliance regulations that apply to more and more companies and organisations. Among other things, these compliance regulations also require proof of users and their authorisations.
Identity governance solutions were developed from the perspective of specialist departments and auditors in order to make assigned authorisations transparent, traceable and easier to administer from their point of view and independently of IT. Their aim is to improve the implementation and verification of business processes and compliance regulations.
The next evolutionary stage is Identity Analytics, which has developed from Identity Governance. Identity analytics provides a deeper insight into the users in the company, their rights and how they are used. Based on metrics, behaviour and context, it is possible to make predictions about usage and risks and react better to changing conditions in the area of user management.
- Functions of identity governance
Identity governance solutions should provide proof that
security guidelines relating to users and authorisations are implemented and that users have the right rights and not more rights than necessary. Identity governance solutions provide the information required for this proof. To this end, these solutions offer the functions described below:
1. Access visibility
The basis for all other functions is first and foremost the central visibility of the assigned authorisations. Authorisations can be business roles, IT roles or authorisation objects defined in target systems (e.g. Active Directory groups). The display must clearly show which rights a person has on a target system.
2. Access certification
As it is generally not possible to ensure that everything runs correctly when granting and withdrawing rights, their correctness must be confirmed regularly. Identity governance solutions allow the definition of recertification campaigns for this purpose, which can include the users to be certified as well as their rights according to certain selection criteria (only certain departments, only certain applications) Such campaigns, which can be monitored centrally, ensure that users only have the necessary rights. The prerequisite for this, however, is that the number of rights to be certified is manageable and understandable for the certifier.
3. Segregation of Duties
One requirement of many compliance regulations is the strict separation of certain tasks within the organisation. For example, the same person should not normally be allowed to order goods and pay incoming invoices. Identity governance solutions support these requirements through segregation of duties (SoD).
Segregation of duties refers to the basic separation of tasks controlled by rights. In contrast, dynamic SoD can only be realised by the application itself, as the context of the individual transactions is required here. In many Identity Management systems, SoD is described on the basis of defined roles. However, as roles are already used for the provisioning of rights, they are often complex and cannot be understood by auditors and accountants. Auditors think in terms of business activities. Modern identity governance solutions therefore define SoD rules on the basis of business activities. This is usually much simpler and more straightforward than defining roles and also provides a control mechanism that indirectly checks whether the roles are defined correctly.
4. Role management
Roles are actually required by identity administration solutions for the efficient provisioning of rights. However, the administration of roles also falls within the scope of identity governance for two reasons in particular.
Firstly, a lean role model is required in order to minimise the number of rights to be recertified and thus keep them manageable. On the other hand, the role management process requires in-depth knowledge of the business processes in addition to IT expertise. The person who has to model the roles is supported by so-called „role mining“. Here, the identity governance solution generates role proposals and, in the best case, visualises them graphically.
5. Risk management
Certain rights and combinations of rights can pose a high risk for an organisation. These can be individual highly privileged rights, violations of SoD rules or unusual combinations of rights in a department. Risk management takes place in several stages:
Modelling > Measuring > Recognising > Mitigating
First, the risk is modelled, i.e. what constitutes a risk is defined. The next step is to check whether risks exist. Corresponding existing risks are uncovered. In the final step, so-called mitigations are defined for these identified risks. This is necessary because not all risks can be eliminated. Mitigation weakens existing risks through suitable measures. This can be, for example, a stronger control of the associated identity or just an additional authorisation by the CISO, for example. The risk analysis helps to uncover and eliminate critical points in the company.
6. Access request
Identity governance can also include the „access request“ function, i.e. the application for rights. This is not absolutely necessary, as this function is covered by the existing Identity Administration solution. Access Request within Identity Governance can be considered in particular if
– No separate Identity Administration solution is in use
– Identity Governance and Identity Administration tasks are carried out by the same people
– SoD and other risk considerations are to be taken into account at the same time as the request. This preventive SoD when applying for rights also increases security and compliance.
Identity Governance has become indispensable in larger companies due to regulations. This robust tool can be used alone or in combination with identity administration solutions. Identity Governance plays a pivotal role in enhancing cybersecurity by ensuring proper access controls, compliance with regulations, mitigating risks, streamlining processes, bolstering security posture, and providing visibility and accountability over user access.