Start Smart:
Identity and Access Management Fundamentals

identity and access managementAccountability for Identity and Access Management is Key

Ownership of every account should be assigned to specific identities for accountability.  These identities would be responsible for system reconciliation- finding any account exceptions and entitlement discrepancies.  Performing regular reconciliations will help Enterprise IT identify risks like:

  • Orphan accounts:
    These are accounts that appear unexpectedly in account repositories. Most often, this happens when administrators create accounts outside the standard process.
  • False active accounts:
    These are active accounts that were supposed to be disabled, perhaps because an administrator enabled accounts outside the standard process.
  • Unauthorized entitlements:
    Entitlements added to an existing account unexpectedly, or outside the standard process

Embrace Policy-Based Entitlements

We encourage Enterprise IT to focus on providing a set of closed-loop processes for the assignment of entitlements.

This helps ensure entitlements assignments have a policy-driven path to removal.  The typical process approach for assigning entitlements relies on access requests and workflow approvals as gates through which users must pass before access is granted.  Request-based processes are then augmented by policy-based assignment of entitlements, wherein events cause entitlements to be assigned to users based on evaluation of policy criteria.  This is most often associated with what are commonly known as “birthright entitlements” – the access users should get when an identity is initially created.

Well-defined policies should guide the assignment of an increasing proportion of access in the environment, with access requests and approval workflows relegated to exceptional access. Enterprise IT needs mechanisms to associate policies with entitlements, rather than tying policies to users or events. This can be aided by adopting role-based access control.  When exceptional access is granted via requests, it should be done for a limited time only so that users do not accumulate unnecessary access. When such time limits are not supported directly by an IGA product or service, access certifications can be used as a substitute, as long as the certification campaigns can be focused on exceptional access.

keep reading >

1 2 3