5 best practices for identity governance and administration
"I can hardly wait for the next access certification review!" said no one—ever. But you can help turn this around with a well-managed identity governance and administration (IGA) program.
IGA is the branch of identity and access management that deals with making appropriate access decisions. It allows your company to embrace the benefits of hyper-connectivity while ensuring that only the right people have access to the right things at the right times.
When it's done right, IGA makes security easier and gives you valuable insights about employee activity and needs. When it’s not done right, it puts your company at risk and is perceived as an annoying waste of time. Unfortunately, the not-done-right version is the norm today.
So, what does a strong, successful IGA program look like? Here are five steps for best practices, along with examples to illustrate what works and what doesn't.
1. Make identity your foundation
In a well-managed IGA program, access decisions are based on identity, which is the foundation for all security.
You probably think of identity as the defining attribute of people—your employees, business partners, and customers. But identity isn't limited to human beings. We have a customer in Australia who raises sheep, some for medical purposes and others for meat or wool. The company needs to track which animals go where, so each sheep has a corporate identity.
Maybe you don't have sheep to track. But do you have servers, applications, and devices? IoT-connected appliances or vehicles? These things also have identities. An identity should be assigned to anyone or anything that uses or transmits your company's information.
So the first step in establishing a successful IGA program is to identify all your identities and determine what information they can access. Then you can refine your access decisions based on the amount of risk the information contains.
2. Create a strategic plan
Once you've inventoried your identities and mapped their access points—a process infinitely more efficient if it's automated—you need to make decisions about which permissions to keep and which to change.
Each organization needs to determine its priorities. You should consult with all stakeholders and create a strategic plan for identity management, making sure you include all of your systems, cloud-based and on-premises. Create a common decision-making framework based on risk.
Many companies like to start with privileged accounts, including root accounts, which belong to administrators and can get into your critical systems and make changes. Because these accounts can do so much, they are a high-value target for attackers.
Privileged accounts should be limited in both number and scope. Many organizations learn the hard way that they are not. At a healthcare company we work with, a root account holder working on the claims database made an error that shut down the company's operations for an entire day.
It was just a mistake, but it led the company to look into access privileges. It found 100 other account holders who could get into this same sensitive database—far more than necessary.
Any account with unneeded access privileges is a security liability. The more sensitive the information they can get to and the more they can do with it, the higher the risk.
Who determines whether someone should have access to an application or database?
A common myth is that it's up to the IT department. But IT has no way of knowing whether John in sales needs to see quarterly revenue figures for his department, or which people in DevOps need to understand a patent you're working on. These decisions should be made by business managers and application owners, with risk-appraisal assistance from IT.
3. Build an agile system
Companies are not static. They spin off assets and acquire other companies. They reorganize departments, shifting people into new roles without informing IT. Partners, contractors, and customers come and go. Service accounts are set up to do their thing and are then disabled—or all too frequently, forgotten. People quit, people are hired, people are fired.
Change is constant, but security often lags behind. Why? Because companies tend to limit their access updates to a time frame set by compliance regulations. Making your quarterly or semiannual deadline may keep you legal, but it also gives hackers months of freedom to exploit loopholes, any one of which could lead to a devastating data breach.
Why risk it? Today's technology allows you to set up an adaptive governance system that detects and responds to role changes as they happen. It puts the information in front of the right decision makers and makes it easy for them to respond.
In a world of software-as-a-service and instant updates, this is the kind of model people expect. When it comes to security, you don't ever want to be behind the curve. If you build an IGA program that can scale to include all of your identities and is flexible enough to accommodate the reality of constant change, it will serve you well for years to come.
4. Help stakeholders make decisions
The truth is, line-of-business managers and application owners find reviews a pain, and who can blame them? They're working overtime to do the best job they can with limited resources. Then this extra task pops up, asking them to review the access of the same people they reviewed three months ago.
"What is the point?" they grumble under their breath. But they dutifully turn their attention to the form at hand.
The business manager knows her staff. She quickly scans the list and sees that the names are right. Some people are using apps she doesn't recognize, but they probably have a good reason for it. She'll ask them—someday when she has time.
Here's someone who just switched to a different department, but maybe he needs to use our database to finish up a project—better not leave him high and dry. Most people have access to many files and apps. Are they using them all? Who knows? They’re getting their work done, so he'll give them the benefit of the doubt. She clicks Select All, Approve, and is done for another quarter.
The application owner doesn't personally know all the people using the apps he's responsible for. How could he? There are hundreds. He makes a halfhearted effort to check a few profiles. Nobody seems obviously wrong.
How is he supposed to make these decisions? Why did they give him this task, especially now, when he has to prepare for a presentation this afternoon? He clicks Select All, Approve, done.
Certification reviews can get better—really
This is the reality of certification reviews. How much do you think they are improving your company's security posture?
It doesn't have to be this way. Managers are lax not because they are lazy, but because they lack pertinent information to make informed decisions. You can use your IGA system to help them.
Instead of sending a form with a list of names, look at the analytics your system provides—hopefully on an easy-to-read dashboard. You may learn that of a manager's 50 employees, 47 are using all the apps and files assigned to them on a regular basis.
But two also have access to high-level financial information. Do they really need it? Another worker doesn’t seem to be using the information assigned to him at all. Has he moved to a different role?
Rather than sending the manager a list of 50 people to review, you send a list of three. And you explain why you need her to review these three. Now she feels like a valued member of a team, instead of a robot commanded to perform an unsuitable task. She is more likely to cooperate and less likely to complain.
Back at your dashboard, you notice an application that requires two levels of approval, but the person managing the first level always gives approval within two minutes. So why not save him some time and cut out that level?
And that business manager who says she doesn't know which apps her people are using? Show her. Maybe they've abandoned an old, inefficient piece of software and downloaded something new. Maybe there's a more secure enterprise solution the manager can find to increase productivity.
Analytics are your friend
These are the kinds of insights your IGA program can provide when you put it to good use. Study your analytics to find anomalies and outliers that require human intervention, and streamline and automate the rest. Actively seek information that will be useful to managers, and communicate it in plain English instead of technical jargon.
If you do these things often enough, managers will stop saying access review is a curse. They may even come to see it as a blessing.
So will other stakeholders, including your IT security team, compliance managers, and auditors. Because the governance system is adaptive, making changes along the way as people are hired, take on new roles, or leave, these stakeholders have an up-do-date, accurate picture of roles and access at review time—or at any time.
Instead of spending countless hours collecting and analyzing data, they have all the information they need on a dashboard that gives them a bird's-eye view—or as much granularity as they want.
That means they can make more confident decisions using fewer resources. One client reduced the number of IT staffers reviewing entitlements from 14 to seven.
Intelligible dashboards also allow the security team to literally "show" executives the organization's progress in improving safety while simultaneously reducing the burden on employees.
5. Don't forget unstructured data
Managing access to applications is important. But what about the information the applications contain? What about all your emails, PowerPoint presentations, Word docs, videos, podcasts, voice recordings, pictures, and sensor data? Shouldn't you be cataloging this information, assessing its risk, and determining who should have access to it?
You should, though few organizations are doing it at this point. But they can't ignore it forever. Unstructured data—information that doesn't fit neatly onto a spreadsheet—is accumulating like an avalanche as people increasingly use technology to communicate information. If you can’t track this information, how do you know it's being transmitted and stored securely?
Credit card and Social Security numbers may be lurking in your apps and back-office files without your knowledge. If someone has sent any of this information in an unencrypted email, you already have a de facto data breach on your hands.
It happens, perhaps more often than you think. But if you know what your information contains, you can prevent these kinds of problems.
An IGA system can analyze your unstructured data and alert you if it finds files that look like they contain credit card numbers, dates of birth, Social Security numbers, or other confidential information. When that happens, let the appropriate managers know so that they can delete the information or move it to a more secure location. Then create rules to automate the process.
If managers weren't grateful for your help before, they will be now. Nobody wants to be responsible for a data breach.
Collaboration is key
In today's hyper-connected world, having a strong, well-managed IGA program is essential. To be effective, it must be comprehensive, covering all identities and applications on-premises and in the cloud, and unstructured as well as structured data.
Above all, it must be flexible, expanding, and contracting in concert with the enterprise at all times. You need to manage it to provide your managers with useful insights instead of burdening them with unsuitable tasks.
If you follow these IGA best practices, you will lower your company's exposure to risk and be able to show them the analytics to prove it. You will be able to explain not only what needs to change, but why it needs to change. Security will shift from being a top-down, unwelcome process to an enterprise-wide collaboration. In an ever-changing, fast-moving world, a state-of-the-art IGA program is your best hope for achieving stability.