Provisioning is not access governance
by Deepak Taneja - CTO at Aveksa - Friday, 17 August 2012.
Organizations of all sizes face ever-stricter regulatory and security requirements to protect their data, and that of their customers. But user provisioning systems alone cannot meet these needs because they do not provide an enterprise-wide view of user entitlements in a view business managers can understand. In addition, they do not provide the ongoing policy enforcement required to assure regulatory and security compliance as user roles and business needs change.

A true access governance platform extends the reach of existing provisioning systems to provide an enterprise-wide view of entitlements in language business managers can understand. When integrated with a provisioning system, access governance solutions can dynamically and automatically change entitlements to avoid regulatory or security lapses, and ensure the organization can pass internal or external audits.

Where provisioning falls short

Provisioning systems automated what had become a cumbersome process of managing the lifecycle of user accounts which were shared or used by multiple applications. These provisioning systems connect to user directories or account repositories to establish, for each user, their log-in credentials, their profile attributes (such as name, title, department and office) and the group memberships that enable the user to access certain applications.

With this information, a provisioning system can tell who a user is, the accounts each user maintains and the associated account attributes and group memberships. However, it cannot determine the user’s entitlements – the critical details of exactly what each user can and cannot do with the enterprise’s applications and data. That is because applications, hosts and shared security solutions across the enterprise rely on their own policies and infrastructure to bind user accounts to application access entitlements.

It is these specific policy bindings that assure, for example, the proper separation of duties (such as those that keep the same employee from submitting and approving an expense report) or that block an unauthorized employee from seeing a customer’s credit card numbers.

Provisioning systems have no knowledge of these applications and systems or of the account-to-entitlement policy bindings. This infrastructure is usually visible to and accessible by only the IT staff, not business managers. As a result, IT security teams and application owners each use their own ad-hoc solutions such as spreadsheets to track entitlements, tag them with business descriptions and certify access.

But these manual approaches are time-consuming, error-prone and not scalable as the business and its regulatory and security requirements grow. They also lead to “entitlement drag,” which occurs when a user changes job functions or business roles due to a transfer, promotion, or reassignment. Because user provisioning systems cannot provide a complete, composite view of each user’s access over time, users may continue to have access they shouldn’t have based on their new role. This leads to a risk of security breaches and compliance violations.

The final shortfall of provisioning systems is that they were designed to reduce administration overhead for IT administrators but not for use by business users. They present information about entitlements in security syntax that means little or nothing to a line of business owner.

If business owners cannot see the descriptions of a user’s entitlements in language they can understand, they may simply rubber-stamp access certifications without knowing whether each is actually appropriate. This, again, poses a risk to both security and regulatory compliance.

Access governance: What you need

An access governance system helps business managers – those with the most insight and the most at stake in controlling user access – determine exactly what each user can do within each application.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th