Identity Governance

Throughout an organization it can be extremely complex to document who has access to what and why they were granted that access. Governance ensures that identities are not granted more access than they need to do their jobs, gives application, system owners and line managers the opportunity to ensure the correct level of access, and enforces policies involving data protection regulations and access right conflicts.

Business processes for governance allow organizations to verify who has access to what information, remove access that is no longer needed, produce real-time and historical audit reports and ensure that Separation of Duty (SoD) policies are properly enforced.

Administrators and security practitioners need to evaluate access rights on a regular basis, otherwise users will accumulate access to more systems than they need as they change roles. Governance processes also allow for un-owned accounts (orphaned accounts) to be reassigned or deleted. Administrators can also ask data owners and managers to assign different risk classifications to data held within their respective systems. Finally, verifying that the actual state of access and entitlements matches the desired state is key to maintaining good governance.

Why Governance Management is important

Managing Governance

Ensuring account security and compliance

Access rights that are granted to users, either when they join a company or when they request new access rights, may not be required for the entire employment lifecycle. If the access rights are not evaluated on a regular basis, users typically accumulate access to more systems than they need. The governance processes let administrators verify with the business system owners or employee line managers that the access users have is appropriate for their current jobs.

If an account is found to have no owner assigned to it (a so-called ‘orphan account’) because an employee has left the company, then governance processes allow for the ownership to be reassigned or for the account to be deleted as appropriate.

In addition to managing access to systems, access to different types of data needs to be controlled. The governance processes allow administrators to ask data owners and managers to assign different risk classifications to data held within their systems. Once these classifications are assigned, data access can be governed in accordance with various global data protection regulations and other relevant data protection standards.

Maintaining ongoing compliance

Verifying that the actual state of access granted to users matches the desired state that defines a compliant and secure system is a key process to maintaining good governance. If inconsistencies are found, they are flagged to the administrator, so they can be resolved either by approving or revoking the access.

In addition, the governance processes include workflows to manage the separation of duty (SoD) rules so toxic combinations of access rights are not assigned to an individual, thus preventing the ability to carry out fraudulent activities.

The Governance process area includes the following process groups and subprocesses:

1. Generate report
   • Reporting
2. Perform attestation
   • Design certification campaign
   • Administrate certification campaigns
   • Respond to campaign questions
   • Transfer ownership
   • Account ownership
   • Access review for managers/resource owners
3. Perform reconciliation
   • Reconcile expected state versus actual state
4. Apply data classification
   • Administer classification tags
   • Apply classification tags to data objects
5. Separation of duties (SoD)
   • Evaluate violation

As part of Omada IdentityPROCESS+, an identity governance framework focusing on best practice processes, there are several key components to Governance that are critical to follow best practices to ensure business efficiency is optimized, security is tight, and compliance is met.

Process Group: Generate Report

Setting up reports that can provide a sense of what is actually happening is critical for success. Real-time dashboards allow organizations to understand their current access compliance situation so that they can maintain compliance. Reporting within Omada can also process extra data from the data repository to show information about relevant objects and provide a comprehensive data overview. This view allows organizations to see who has or has had, access to what, why, and when that access was granted, who approved it, and when it was revoked.

Process Group: Perform Attestation

After reports have been set up, regularly verifying that access rights, policies, role definitions, and master data in Omada are still valid is up next. Certification campaigns (also called reviews, attestations or re-certifications) are used to periodically validate the information in Omada. Omada administrators can define the purposes of the campaign, including what data is to be certified, who should certify it, and how often a survey should run directly in the portal. The administrator can also input what should happen when responses to the survey are submitted, or when answers are not given, as well as set notifications and reminders to be sent, and determine who can monitor and manage the campaigns and surveys.

Administer Certification Campaign

The survey administrator can initiate and assign surveys to the relevant managers or survey owners. This includes determining when the survey starts, monitoring its ongoing progress, reassigning questions if needed, generating and sending reports and closing the survey. IdentityPROCESS+ lays out how surveys are created in the design certification campaign process and scoped based on factors such as risk classification, systems and resource types for maximum effectiveness.

Respond to Campaign Questions

When the campaign is launched by the administrator the certification task is sent to the manager for review, so as to enable responses. Once they receive the task to recertify data (i.e. access rights for managed identities), the reviewer reviews the data and submits answers to the questions. If unable to answer some of the questions, the survey can be reassigned to another user (if the survey admin has permitted this action when launching the survey).

Transfer Ownership

When someone leaves the company or changes roles, the organization must transfer ownership of certain objects to another human identity. This automatically starts a workflow, which allows resource owners to propose new owners, who can accept or reject the proposal.

Access Review for Manager/Resource Owners

As part of the ongoing process to review access, administrators and practitioners should regularly review access rights assigned to all identities. Access reviews are initiated either on a scheduled basis or done ad hoc manually by system owners or administrators. They can then verify accounts by system, organizational unit, specific resources, compliance status, or classification tags. Direct assignments are expired and deprovisioned immediately, and if a kept assignment already has a desired state it will remain as is.

Process Group: Perform Reconciliation

Omada can check if the desired security and compliance state matches the actual access granted to system resources. If there is a mismatch, the differences need to be promptly rectified to maintain both security and compliance. Omada compares the defined desired state with actual state gathered from target systems and graphically displays compliance status; whether it is ‘under control’ or not, whether it has been explicitly, or implicitly approved. Other potential states include not approved, orphan assignment, pending deprovisioning, in violation, or implicitly assigned.

Process Group: Systems and Data Store Classification

Applying classification tags to identities, systems, resources, resource folders, contexts and other objects means they can be identified when specific company processes need to be applied. This also helps to manage resources differently depending on the types of data being stored, the sensitivity of the information, and any regulations governing their use. Data administrators can create classification tag categories in Omada. For example, the classification category ‘GDPR’ could be populated with tags ‘personal data’ ‘personal sensitive data’ ‘high-risk data’ ‘low-risk data’ etc., thereby allowing administrators to manage different types of data according to internal policies and external requirements.

Apply Classification Tags to Data Objects

Administrators can identify data that is held in different resources so it can be managed with the appropriate levels of security/compliance policies defined by the organization. When classification tags and tag categories are set up, data objects are tagged using a classification survey. These tags and tag categories are used to establish and operationalize the risk management strategy and put relevant controls in place. This also allows the administrator or system owner to create a survey which is sent to users, presenting them with tasks to classify the survey. Once the questions are completed, the classifications need to be approved by the category owner. Once approved, classification tags are added or removed to/from the object.

Process Group: Separation of Duties

A critical component of Governance is the evaluation of separation of duty policies to ensure that individuals are not granted toxic combinations of access rights that enable them to commit fraud. Administrators can create new constraint policies to determine whether toxic combinations of access rights have been assigned, can detect violations, and allow managers to evaluate the situation. Omada evaluates user identities for violations, and if found, the automated workflow sends the task to the manager for approval. If approved and a compensating control is selected, access is provisioned. This is also automatically logged and stored.

Process Stakeholders

Within IGA processes, it is critical that multiple stakeholders are aligned and working together. For Governance, the following teams must be involved.

1. IGA Team
   • Generate reports for compliance and security teams
   • Set up attestation surveys across business systems
2. Line Managers
   • View reports
   • Respond to access review requests
3. Business and Application System Owners
   • Use reports to determine who has access to their systems
   • Generate certification campaigns to verify user access and respond to access reviews for resource owners
   • Help initiate account ownership process to review orphaned account assignments and transfer them to new owners

Key Best Practice Recommendations

Below are a set of key best practice recommendations that should be taken into consideration when implementing the governance processes in IdentityPROCESS+.

Define metrics for a key performance indicator (KPI) model

It is important to determine which KPIs need to be measured, monitored and reported on. For administration of the IGA system, this will include system KPIs such as spare database storage capacity, response times, and resource usage. To monitor use of the IGA system from a business perspective, KPIs such as identities being managed, the number of assignments, and unresolved accounts need to be considered. When considering the KPIs required, it is important to
involve stakeholders from the business such as line managers, the compliance team, and external auditors as they may have additional requirements.

When considering KPIs and reports, it is highly recommended that organizations start with the out-of-the-box options provided by the IGA solution rather than
reinventing the wheel and creating their own. Most organizations find that the standard reports satisfy most of their needs and therefore only need to create a small number of additional customized reports. The process of determining whether the out-of-the-box reports are suitable for the organization could take up to a year to complete if there are many stakeholders with different requirements.

Determine what kind of certification campaigns are needed

To ensure good governance, it is important to establish a rigorous set of certification campaigns. The frequency of certification campaigns should be based on the criticality of the application and any external compliance regulations that need to be taken into consideration. For example, access to a critical banking application may need to be recertified every 6 months whereas a less critical application such as the HR holiday booking system may only need access recertification every 12 months. When determining the frequency of recertification, the audit team should be consulted as they may have specific requirements.

Define how surveys should be run

To effectively perform user access recertification, organizations should determine how surveys should be run. This includes who owns the surveys, who starts them, and who follows up if they are not answered. When deciding who should manage surveys, political considerations need to be taken into account – for example, a senior executive may not appreciate being sent a reminder from a junior employee for not completing answers to a recertification campaign they have received.

Summary

The governance processes enable organizations to maintain compliance over user identities for the entire lifecycle of employment. They allow administrators to continuously monitor for orphan accounts and put measures in place to prevent toxic access combinations causing separation of duty violations.

By implementing the IdentityPROCESS+ governance processes, organizations will maintain a secure and compliant organization while being able to effectively support the granting of access rights to end users.