Accountability for Identity and Access Management is Key
Ownership of every account should be assigned to specific identities for accountability. These identities would be responsible for system reconciliation- finding any account exceptions and entitlement discrepancies. Performing regular reconciliations will help Enterprise IT identify risks like:
Embrace Policy-Based Entitlements
We encourage Enterprise IT to focus on providing a set of closed-loop processes for the assignment of entitlements.
This helps ensure entitlements assignments have a policy-driven path to removal. The typical process approach for assigning entitlements relies on access requests and workflow approvals as gates through which users must pass before access is granted. Request-based processes are then augmented by policy-based assignment of entitlements, wherein events cause entitlements to be assigned to users based on evaluation of policy criteria. This is most often associated with what are commonly known as “birthright entitlements” – the access users should get when an identity is initially created.
Well-defined policies should guide the assignment of an increasing proportion of access in the environment, with access requests and approval workflows relegated to exceptional access. Enterprise IT needs mechanisms to associate policies with entitlements, rather than tying policies to users or events. This can be aided by adopting role-based access control. When exceptional access is granted via requests, it should be done for a limited time only so that users do not accumulate unnecessary access. When such time limits are not supported directly by an IGA product or service, access certifications can be used as a substitute, as long as the certification campaigns can be focused on exceptional access.
keep reading >