The final shortfall of provisioning systems is that they were designed to reduce administration overhead for IT administrators but not for use by business users. They present information about entitlements in security syntax that means little or nothing to a line of business owner.
If business owners cannot see the descriptions of a user’s entitlements in language they can understand, they may simply rubber-stamp access certifications without knowing whether each is actually appropriate. This, again, poses a risk to both security and regulatory compliance.
Access governance: What you need
An access governance system helps business managers – those with the most insight and the most at stake in controlling user access – determine exactly what each user can do within each application.
It provides both compliance and auditability through visibility into, and ongoing management of, which users have access to what resources, who approved that access and whether the access is appropriate as users’ roles and the needs of the business change.
Unlike provisioning systems, an access governance system collects information about user identities, entitlements, and roles from all information resources, including (but not limited to) provisioning systems. It enables business policies to be implemented as controls to ensure that regulatory compliance and risk management objectives are met.
Finally, it establishes collaborative processes among line-of-business owners and IT security managers for access certifications, access change management, and metrics-driven management of user roles.
Access governance systems present information about access rights and entitlements in a business, not a technical context. This means business owners understand the entitlements they are being asked to approve or reject, which means improved security and regulatory compliance.
Access governance systems also provide more complete audit trails than provisioning systems because they provide the IT security and compliance team unmatched visibility into fine-grained entitlements across the enterprise.
Rather than replacing user provisioning systems, access governance systems can be synchronized with them (see sidebar) to provide closed-loop enforcement of consistent, auditable access control policies.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.