Access to systems and networks, authorization of users and audits of access patterns seem to be independent, if not opposing, forces. But what if they were centralized, synchronized and complimentary operations in your organization?
That’s CGI’s vision of identity governance, which enables better control of access, easier management of multiple user accounts and protection against insider threats. In this two-part series, we will lay out an evolution, along with recommendations, to move your organization to an enterprise identity governance solution, starting with the need for planning.
Without centralized identity governance, access management typically resides within individual applications, leading to a maze of forms and request methods. To gain access to those applications, new hires must submit paper forms, PDFs and emails, each with varying requirements for signatures and manual processes. New team members can sit idle for weeks waiting on application access, reducing workforce effectiveness.
Account rules vary, resulting in multiple usernames and the inability to match accounts between applications, lessening the effectiveness of newly-implemented log mining tools to monitor account activity. As staff leave the organization or change roles, lack of central tracking makes it difficult to identify and disable all of their accounts. Worse, untended accounts provide attack vectors for both external and insider threats.
Elements of Enterprise Identity Governance
A comprehensive enterprise identity governance solution can help address these issues, and at a minimum, should include:
- Documented policy for accounts, authentication and authorization
- A central identity authority
- Automated account provisioning and deactivation
- A workflow engine for account requests and approvals
- Dashboards and consistent audit reports across applications
- Audit and enforcement mechanisms
- An implementation roadmap
- Privileged access management
- Onboarding procedures for new systems
- Integration with asset management solutions to extend ID management capabilities to the world of physical assets
As with any major transformation, successfully implementing an enterprise identity governance solution starts with planning. In stage one of the project, you should:
- Document policy and roadmap
- Assess and identify existing and future common tools
- Establish central workflow and approvals to capture audit trail.
- Eliminate paper and email-based workflow
- Develop consistent audit reporting for applications
- Institute Privileged Access Management
This is not, however, always an easy project, especially in large departments and agencies. Go on to part two for guidelines for making and, more importantly, implementing a plan.