Have you ever had to respond to this question: “who has access to this file”? It seems easy, doesn’t it? Surely, reporting on who has access to a given file or application and who had it in the past couldn’t be that difficult?
Well, here is the truth: it is!
This post has originally been published on Oct 24, 2019. It has since been updated for better readability.
If you haven’t come across this matter yourself, you’ll have to trust my 20+ years of experience. Or, you can always go and try asking your friendly IT admin the following question:
“If we needed to get information on who has access to those files and who had it in the past, how would you do it?”
After reading this, I encourage you to try it out at your organization.
Be prepared for a long talk on where all systems fall short and how dispersed the information is. This is a real problem!
Well, for every issue there is solution: in this case, it’s called Identity and Access Governance (IAG).
Sounds complicated? It doesn’t have to be. Let’s get started!
You’ve just entered the realm of identity and access governance (IAG for short).
Besides being a fancy acronym to stick on your resume, it is also a professional domain that provides solutions for the real identity challenges that you might be facing today.
What kinds of issues does it solve? Let’s face them.
Look at a group in your Active Directory or Office 365 and ask yourself:
Studies show that about 90% of cyber-security breaches are caused by a human error (source: Willis Towers Watson research). In most cases, IT team members are not involved, we are talking about non-tech employees.
Considering that roughly 70% of employees don’t even have a basic understanding of cyber-security best practices, you don’t want to take the risk of over-provisioning access, right?
Actually, you will never be able to tell where it is used. You only control its intended use and intended members. This is where access governance can help you.
Here’s the thing: you are not the first nor the last person with this problem. This is a common issue at many organizations.
Without burdening you with the gory details, let’s take a look at how IAG process and tools solve the problem by providing clear visibility into access granted for users, and how they help to establish a way of keeping it in check for the future.
Ready for a practical explanation of the IAG process? Let’s begin! Identity and access governance showcased in 5 easy steps!
It all starts with the onboarding. HR sets up a new employee account, and then what? Typically, there is a bunch of requests for this person to be granted access to all the systems. Access requests are based on organizational knowledge: people know what to request or ask for the same access their colleagues have.
Requests are placed in the ticketing system. Tickets are fulfilled by IT / Support departments. This takes time!
Now, how is this different with an IAG process in place:
In this short video, I illustrate what the onboarding process looks like in the Omada IAG tool.
How to use Omada to onboard a user
Over time, as users progress through their employment, they might need additional access to systems. Their job will change, and they will take on new tasks.
We need to ensure the following:
Below is a typical process of access requests and approvals within the organization, implemented as part of access governance.
Access request and approval process
Granting access is easy. But what if you need to block access for a specific user quickly? You can use emergency lockout to revoke access temporarily, then wait for the situation to resolve itself for a full de-provisioning process to kick-in.
Enabling emergency lockout in Omada
With processes in place to manage access to systems, you gain one, very important superpower: transparency! It’s now visible what permissions are granted to which systems, which were requested/approved, and which of those are just there with no clear indication of why.
This is our state of compliance. With all access rights gathered in one place, regardless of their state, we can take a look at where we are. It might take a form of a Compliance Dashboard.
This is a one-stop shop to get an overview of your organization’s access landscape. Green is what we want; all the other colors are what we’re starting out with.
But, there is a lot of color other than green on this dashboard. Let’s look at how to fix it.
Let’s face it. The majority of us will start in the state of unknown (all but green on our dashboard). We know that these permissions are there. We know people have granted access rights. However, we don’t know why and whether they should keep them.
Once you have a window into your current status, you can use it as a starting point to make it right. In terms of access governance, it is called the attestation process. Simply put:
Instead of trying to figure out from one central point if the permissions are correct, you can delegate this task to multiple people with a better business perspective. The sum of these tasks is your compliance state.
Here is a short video on how this process looks, implemented in the Omada IAG tool.
Setting up a survey on permissions
With all of the above, you can finally start answering the question of “who has access to this file?”. Access governance processes with the right tools ensure that all actions such as
are stored in an audit database and are ready for you to review. Typically, each of such solutions comes with a canned set of reports, ways to create more if needed, or a data export functionality to external systems.
Built-in reporting and auditing capabilities make it easy to address common audit and compliance requests.
You can answer questions about current access, point-in-time access rights and historical changes.
Even if an employee is no longer with your company and they’re gone from your HR system, you can still review that person’s permissions.
That was quite a journey! These 5 practical cases do not fully cover all of the access governance topics. There is so much more to talk about.
There are different actors and stakeholders in each of the processes. You will have tasks related to the management of your role and permission models. Then there are applications and system owners, and different variations of approval processes.
As I tried to demonstrate, access governance doesn’t have to be a complicated process – with the right tool!
Instead of wondering who manages access to a given resource, you get a clear and easy way to discover a catalog of all access available to you.
IT or compliance executives won’t have to try to figure out what a given person does in their job in advance. The onboarding process makes it easy for a new employee’s direct manager to grant all the necessary permissions.
And finally, instead of time-consuming approaches to building reports around existing access, we have a clear attestation process with complete records stored in the audit database.
If you want to read more on the subject, Omada’s IdentityPROCESS+ guide is a good start to understanding all these areas and what is required at your organization.
In fact, this might be a great start to your career as an IAG professional. Or maybe just a journey to make your organization safer, easier to manage, with fewer troubles to answer the simple question of: “who has access to this file?”.
I covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s t...
Sometimes it feels like I'm pushing too much with security and software development, but then you prove me wrong. Rec...