I got my start with identity management 20 years ago. For much of the 90’s I installed and supported networks, and provided system administration services. In this role I helped enterprises with creating user accounts and granting access to network resources (mostly files, folders and printers).
I’ve recently completed a couple of projects that remind me of those simpler days. Last year I worked on an enterprise Access Governance project. This project, for a financial institution, was a challenging to me and important to the client. The primary driver for the project was to answer the auditor’s question ‘who has access to what’. This organization, like so many large enterprises, needed to have an efficient method of determining which users were accessing which applications, databases and files.
Reporting on this is harder than it seems. The wide range of financial, human resource, marketing and client self-service systems means that access is granted in many different ways. User accounts are common for enterprise systems (like network login and email) but often unique for ERP, custom or business area-specific applications. Even if the same network account is used across enterprise applications, reporting on access (security groups, permissions, rights, etc.) is very difficult to automate. As a result, reporting on who has access to what is pretty much a manual exercise that is impossible to carry out without a significant effort.
There are a growing number of tools that are effective in supporting the type and style of access reporting required by enterprises. But before the tools can be considered, a philosophy of strong access governance needs to be established. According to Aveksa, a leader in access governance solutions:
… with business-driven identity and access management solutions, companies can empower the business owners to take ownership of identity and access control, provide consistent, full business context across Identity and Access Management systems, connect to the full set of data and application resources, and significantly lower the total cost of ownership
What makes Access Governance difficult is that it is a new concept that is (I think) widely misunderstood. Executive management are uninvolved unless a breach has occurred that forces them to take interest. Senior IT management (CIO, Directors) are feeling the heat from auditors, but have no experience with the new Access Governance tools and methods. Managers are swamped with ‘real work’, and analysts generally consider the whole exercise to be either ridiculously time consuming or impossible.
The trick, I believe, is to get support for Access Governance as high up in the organization as is possible. That might be the CIO level, or possibly higher if poor compliance reports or breach incidents are a priority for executives. Only with senior support can a program be established that will deliver on Access Governance and, ultimately, start to lay the groundwork for an appropriate program.