Identity and Access Management (I&AM) and Privileged Access Management (PAM) include provisioning, recertification, internal transfers and offboarding user access to an organization’s technology resources. Corporate and departmental user groups consist of employees and sometimes include external connectivity to customers and vendors. As a result, the complexity of account management processes increases depending on the level of risk associated with the particular user role being provisioned.
When provisioning and access recertification processes are manual, the workflow from submission and approval through activation can require several days or weeks to complete. Processing time can also increase if separate access administration procedure policies are created based on the type of account provisioning (discretionary, self-service, work-flow based) and the level of access required for specific user roles.
When users transfer to different departments in an organization, access becomes harder to manage. Sometimes privileged access required for a previous role is not removed when it is no longer needed for the users’ new function. This “privileged access creep” increases exponentially when access administrators mirror roles of current employees when provisioning new hires or internal transfers. This can result in the duplication of excessive privileges that could cause data loss and theft if an unauthorized user gains access to these accounts.
The solution to these issues is to automate the access administration process. Automation requires that all accounts follow the same provisioning procedures using a centralized management application. This simplifies the addition and management of user access credentials. It also provides a reporting function that tracks current user access to specific applications, tools and databases and platforms.
Automating the administration process facilitates identity governance. It enables an organization to map identity and access management functions according to audit compliance requirements, which includes defining the corporate I&AM policy and maintaining logs of access management data that can be reviewed by internal and external auditors.
Identity and Access Management Solutions (Examples)
There are several I&AM systems that unify access provisioning functions with user roles and corporate policy repositories. These systems are designed to provide centralized visibility and control. They also make it possible to measure and monitor risks inherent in matching user roles with resources, analyze the data against industry leading controls. Below are some examples of I&AM solutions:
SailPoint is reputed to be the state-of-the-art identity and access management solution. The SailPoint IdentityIQ system and its optional modules provide access certification and role management features that are easy to navigate because they are designed for business users rather than access administrators.
The SailPoint IdentityIQ modules include:
- Compliance Manager
- Lifecycle Manager
- Identity Intelligence
- Governance Platform
- Integration Modules
- User Provisioning
RSA Identity Management and Governance
RSA Identity Management and Governance is a modular, independently licensed solution. RSA modules include access certification management, access request management, data access governance and role management.
Saviynt CAGI (Cloud Access Governance and Intelligence)
Saviynt can integrate with any on premise or cloud application and can import access and data usage data from applications in real time or batch, analyze the data against industry leading controls, and provide exceptions/violations and remediate exceptions.
IBM Security Identity Governance and Administration
IBM Security Identity Governance and Administration is a suite that combines a Security Identity Manager and a Security Identity Governance system. It includes user access management, identity management and governance, and regulatory compliance evaluation.
One Identity automates account creation, assigns access, streamlines on-going administration and unifies identities, passwords and directories.
How ACA Can Help
Before deciding which automated solution may be best for an organization, analysis is required to develop an effective strategy and roadmap for the I&AM direction. In many cases this roadmap must address current identified access issues to assure they are addressed by the proposed solution. Buy-in from all impacted areas is key to the success of automation via development of ongoing procedures and definition of responsibilities. We can provide a resource with prior experience to set up the roadmap and receive approval from all interested parties. We can also become part of the automation selection process followed by aiding or managing the implementation.
For More Information
For more information, please contact Mahesh Viswanathan at ACA Telavance or your regular ACA Telavance consultant.
About the Author
Art Claudio has led an extensive career in the financial services industry which includes a unique blend of technology, business and management experience in wholesale, retail, domestic and international scenarios.