Access Governance In 5 Easy Steps See How To Master Access Governance In 5 Easy Steps

Have you ever had to respond to this question: “who has access to this file”? It seems easy, doesn’t it? Surely, reporting on who has access to a given file or application and who had it in the past couldn’t be that difficult?

Well, here is the truth: it is!

This post has originally been published on Oct 24, 2019. It has since been updated for better readability.

If you haven’t come across this matter yourself, you’ll have to trust my 20+ years of experience. Or, you can always go and try asking your friendly IT admin the following question:

“If we needed to get information on who has access to those files and who had it in the past, how would you do it?”

After reading this, I encourage you to try it out at your organization.

Be prepared for a long talk on where all systems fall short and how dispersed the information is. This is a real problem!

Well, for every issue there is solution: in this case, it’s called Identity and Access Governance (IAG).

Sounds complicated? It doesn’t have to be. Let’s get started!

Identity and access governance: why all the fuss?

Congratulations!

You’ve just entered the realm of identity and access governance (IAG for short).

Besides being a fancy acronym to stick on your resume, it is also a professional domain that provides solutions for the real identity challenges that you might be facing today.

What kinds of issues does it solve? Let’s face them.

Look at a group in your Active Directory or Office 365 and ask yourself:

• Why are all these people there and who put them there?
• Are these folks in the right groups?
• What resources has this group been granted access to? Are we sure about this access?

Studies show that about 90% of cyber-security breaches are caused by a human error (source: Willis Towers Watson research). In most cases, IT team members are not involved, we are talking about non-tech employees.

Considering that roughly 70% of employees don’t even have a basic understanding of cyber-security best practices, you don’t want to take the risk of over-provisioning access, right?

Here’s the thing: you are not the first nor the last person with this problem. This is a common issue at many organizations.

Without burdening you with the gory details, let’s take a look at how IAG process and tools solve the problem by providing clear visibility into access granted for users, and how they help to establish a way of keeping it in check for the future.

Ready for a practical explanation of the IAG process? Let’s begin! Identity and access governance showcased in 5 easy steps!

Step #1: Onboarding: Make it right from the start

It all starts with the onboarding. HR sets up a new employee account, and then what? Typically, there is a bunch of requests for this person to be granted access to all the systems. Access requests are based on organizational knowledge: people know what to request or ask for the same access their colleagues have.

Requests are placed in the ticketing system. Tickets are fulfilled by IT / Support departments. This takes time!

Now, how is this different with an IAG process in place:

1. Hiring a person triggers an onboarding process
2. The onboarding process is routed to a person closest to the new hire from a business perspective, e.g. their manager
3. Basic access rights are granted automatically
4. Additional access rights are requested for the user by the manager during the onboarding process.

In this short video, I illustrate what the onboarding process looks like in the Omada IAG tool.

How to use Omada to onboard a user

Step #2: Access. It is all about access!

Over time, as users progress through their employment, they might need additional access to systems. Their job will change, and they will take on new tasks.
We need to ensure the following:

1. Users can request additional access to business applications
2. Managers and systems owners can approve or deny access
3. Access is being provisioned automatically for the user, or it’s routed to be provisioned
4. The user has clear visibility into the process and its current stage.

Below is a typical process of access requests and approvals within the organization, implemented as part of access governance.

Access request and approval process

Granting access is easy. But what if you need to block access for a specific user quickly? You can use emergency lockout to revoke access temporarily, then wait for the situation to resolve itself for a full de-provisioning process to kick-in.

Enabling emergency lockout in Omada

Step #3: Compliance is king: using the magical powers of your Compliance Dashboard

With processes in place to manage access to systems, you gain one, very important superpower: transparency! It’s now visible what permissions are granted to which systems, which were requested/approved, and which of those are just there with no clear indication of why.

This is our state of compliance. With all access rights gathered in one place, regardless of their state, we can take a look at where we are. It might take a form of a Compliance Dashboard.

This is a one-stop shop to get an overview of your organization’s access landscape. Green is what we want; all the other colors are what we’re starting out with.

Compliance Dashboard in Omada Identity Suite

But, there is a lot of color other than green on this dashboard. Let’s look at how to fix it.

Step #4: Attestation made easy! How to find out what you have?

Let’s face it. The majority of us will start in the state of unknown (all but green on our dashboard). We know that these permissions are there. We know people have granted access rights. However, we don’t know why and whether they should keep them.

Once you have a window into your current status, you can use it as a starting point to make it right. In terms of access governance, it is called the attestation process. Simply put:

1. Start with the current state. Define what you want to review
2. Set up a survey for business owners (managers) or system owners. Ask them whether the access permissions are in place as they should be
3. Gather responses and process them in the system
4. Provision or de-provision permissions based on the responses.

Instead of trying to figure out from one central point if the permissions are correct, you can delegate this task to multiple people with a better business perspective. The sum of these tasks is your compliance state.

Here is a short video on how this process looks, implemented in the Omada IAG tool.

Setting up a survey on permissions

Step #5: All you need is in the reports!

With all of the above, you can finally start answering the question of “who has access to this file?”. Access governance processes with the right tools ensure that all actions such as

• Identity onboarding and offboarding
• Application and data access granted and the approval process
• Additional access requests
• Emergency lockouts
• Attestation process and decisions

are stored in an audit database and are ready for you to review. Typically, each of such solutions comes with a canned set of reports, ways to create more if needed, or a data export functionality to external systems.

Identities report in Omada Identity Suite

Built-in reporting and auditing capabilities make it easy to address common audit and compliance requests.

Identity details report in Omada Identity Suite

You can answer questions about current access, point-in-time access rights and historical changes.

Identity resource history in Omada Identity Suite

Even if an employee is no longer with your company and they’re gone from your HR system, you can still review that person’s permissions.

Reporting audit in Omada Identity Suite

Wrapping up

That was quite a journey! These 5 practical cases do not fully cover all of the access governance topics. There is so much more to talk about.

There are different actors and stakeholders in each of the processes. You will have tasks related to the management of your role and permission models. Then there are applications and system owners, and different variations of approval processes.

As I tried to demonstrate, access governance doesn’t have to be a complicated process – with the right tool!

Instead of wondering who manages access to a given resource, you get a clear and easy way to discover a catalog of all access available to you.

IT or compliance executives won’t have to try to figure out what a given person does in their job in advance. The onboarding process makes it easy for a new employee’s direct manager to grant all the necessary permissions.

And finally, instead of time-consuming approaches to building reports around existing access, we have a clear attestation process with complete records stored in the audit database.

Further reading

If you want to read more on the subject, Omada’s IdentityPROCESS+ guide is a good start to understanding all these areas and what is required at your organization.

In fact, this might be a great start to your career as an IAG professional. Or maybe just a journey to make your organization safer, easier to manage, with fewer troubles to answer the simple question of: “who has access to this file?”.