Where do we begin with an Identity Governance project? Perhaps the goals have already been established by your key stakeholders. Just starting the commencement of an Identity Governance project often originates from pre-determined goals set by key stakeholders. It could be a compliance initiative aimed at meeting standards such as PCI DSS, SOX, HIPAA, or GDPR, or maybe it’s time to manage accumulated access permissions to achieve a state of minimal necessary access.
The ultimate goal of your Identity Governance program should be demonstrable evidence that your risks are identified and effectively managed. Here are seven comprehensive areas to consider when setting your Identity Governance Goals and Objectives, supported by real-world examples. All of this should be managed by an Identity Governance Board within your organization
Before we delve into the core of Identity Governance, two preliminary goals will lay a solid foundation for your success:
A robust Identity & Access Management (IAM) lifecycle is instrumental in ensuring zero-day start, change, and stop for user account access. This lifecycle can be compared to the operational management in a manufacturing plant.
Linking all secondary and non-user accounts to specific owners will mitigate your risk of unaccounted-for access. This is akin to a rental car agency assigning each car to a specific renter for accountability.
Identification of Permissions
Much like product labels provide a comprehensive understanding of the product's features, effective descriptions for each permission will allow reviewers to understand what they are evaluating and make informed decisions. These permission descriptions also support role mining efforts, just as product labels help in organizing supermarket shelves.
Compliance-based Reviews - PCI DSS / SOX / HIPPA / GDPR / Other
If you're holding sensitive data, akin to a bank vault, you must identify the data, its permissions, and specify the risk level. Administrative and privileged account access form your requirement for certification reviews, just as bank vault access requires stringent scrutiny.
Roles can be likened to departments in a company, where each has distinct responsibilities. These department-like groupings of permissions simplify the review process and increase accuracy. Using roles, permissions granted outside the role are visible for scrutiny during Certification reviews, much like a worker performing duties outside their assigned department.
Risk-based reviews are similar to security checks at airports where individuals and their belongings are screened based on perceived risk. A risk-based approach requires upfront identification of sensitive data and access and scoring its risk level. Reviews are performed for the accounts exceeding a risk threshold, just as airport security checks are stringent for high-risk passengers.
An Identity Governance solution should incorporate the use of policies, like a country's legal system. Policies identify risk situations (Separation of Duties (SoD) or excessive access) and generate an Exception Review for the conflict, just as laws identify and penalize illegal activities.
Implementing Identity Governance projects require well-defined goals and objectives centered around the IAM lifecycle, linked accounts, identification of permissions, compliance-based reviews, roles, risk-based reviews, and policies. These guidelines, coupled with real-world examples, provide a comprehensive view of the Identity Governance landscape and lay a solid foundation for a successful implementation.