Provisioning is not access governance

Organizations of all sizes face ever-stricter regulatory and security requirements to protect their data, and that of their customers. But user provisioning systems alone cannot meet these needs because they do not provide an enterprise-wide view of user entitlements in a view business managers can understand. In addition, they do not provide the ongoing policy enforcement required to assure regulatory and security compliance as user roles and business needs change.

A true access governance platform extends the reach of existing provisioning systems to provide an enterprise-wide view of entitlements in language business managers can understand. When integrated with a provisioning system, access governance solutions can dynamically and automatically change entitlements to avoid regulatory or security lapses, and ensure the organization can pass internal or external audits.

Where provisioning falls short
Provisioning systems automated what had become a cumbersome process of managing the lifecycle of user accounts which were shared or used by multiple applications. These provisioning systems connect to user directories or account repositories to establish, for each user, their log-in credentials, their profile attributes (such as name, title, department and office) and the group memberships that enable the user to access certain applications.

With this information, a provisioning system can tell who a user is, the accounts each user maintains and the associated account attributes and group memberships. However, it cannot determine the user’s entitlements – the critical details of exactly what each user can and cannot do with the enterprise’s applications and data. That is because applications, hosts and shared security solutions across the enterprise rely on their own policies and infrastructure to bind user accounts to application access entitlements.

It is these specific policy bindings that assure, for example, the proper separation of duties (such as those that keep the same employee from submitting and approving an expense report) or that block an unauthorized employee from seeing a customer’s credit card numbers.

Provisioning systems have no knowledge of these applications and systems or of the account-to-entitlement policy bindings. This infrastructure is usually visible to and accessible by only the IT staff, not business managers. As a result, IT security teams and application owners each use their own ad-hoc solutions such as spreadsheets to track entitlements, tag them with business descriptions and certify access.

But these manual approaches are time-consuming, error-prone and not scalable as the business and its regulatory and security requirements grow. They also lead to “entitlement drag,” which occurs when a user changes job functions or business roles due to a transfer, promotion, or reassignment. Because user provisioning systems cannot provide a complete, composite view of each user’s access over time, users may continue to have access they shouldn’t have based on their new role. This leads to a risk of security breaches and compliance violations.

The final shortfall of provisioning systems is that they were designed to reduce administration overhead for IT administrators but not for use by business users. They present information about entitlements in security syntax that means little or nothing to a line of business owner.

If business owners cannot see the descriptions of a user’s entitlements in language they can understand, they may simply rubber-stamp access certifications without knowing whether each is actually appropriate. This, again, poses a risk to both security and regulatory compliance.

Access governance: What you need
An access governance system helps business managers – those with the most insight and the most at stake in controlling user access – determine exactly what each user can do within each application.

It provides both compliance and auditability through visibility into, and ongoing management of, which users have access to what resources, who approved that access and whether the access is appropriate as users’ roles and the needs of the business change.

Unlike provisioning systems, an access governance system collects information about user identities, entitlements, and roles from all information resources, including (but not limited to) provisioning systems. It enables business policies to be implemented as controls to ensure that regulatory compliance and risk management objectives are met.

Finally, it establishes collaborative processes among line-of-business owners and IT security managers for access certifications, access change management, and metrics-driven management of user roles.

Access governance systems present information about access rights and entitlements in a business, not a technical context. This means business owners understand the entitlements they are being asked to approve or reject, which means improved security and regulatory compliance.

Access governance systems also provide more complete audit trails than provisioning systems because they provide the IT security and compliance team unmatched visibility into fine-grained entitlements across the enterprise.

Rather than replacing user provisioning systems, access governance systems can be synchronized with them (see sidebar) to provide closed-loop enforcement of consistent, auditable access control policies.