The objectives of identity and access governance are to manage risk and ensure compliance in consistent, efficient and effective manner. These objectives are:
- Availability—Business data and applications are available when and where they are needed.
- Integrity—Data can only be manipulated in ways that are authorized.
- Confidentiality—Data can be accessed only by authorized individuals and cannot be passed to other individuals who are not authorized.
- Privacy—Privacy laws and regulations must be observed.
- Accountability—It should be possible to hold people, organizations and systems accountable for the actions that they perform.
- Transparency—Systems and activities can be audited.
Access governance is not just about implementing access governance tools instead of provisioning tools; it is about implementing governance processes. The governance process is composed of three major phases. The initial phase is to understand the business needs and obtain approval for a plan of action. A key objective of this initial phase is to get executive sponsorship, which is critical to the success of any identity and access project. The second phase is to define the organizational needs and to produce a set of metrics and controls. The third phase is to monitor the controls and manage divergence. Governance requires well-described processes, guidelines and books of rules.
Who is responsible?
The responsibilities for identity and access lay with the lines of business, the owners of data and applications, and IT management. The actual division of responsibilities will vary among organizations, and the following provides an illustration.
- The owners of data and applications services are responsible for classifying the sensitivity of data.
- The lines of business managers are responsible for defining what access individuals within their organization should have to the applications and data.
- The HR department, in conjunction with line management, is responsible for performing background checks on new employees, initiating the on-boarding processes that give the access to IT systems, and initiating the off-boarding processes that remove access rights for employees leaving the organization.
- IT management is responsible for ensuring that the identity and access infrastructure is installed, configured and functioning correctly.
- The legal department is responsible for setting up legal agreements to identity federation with partner and supplier organizations as required by corporate management or line of business owners.
- Lines of business owners are also responsible for the control of access to systems by external users such as customers and partners.
In order to govern identity and access, there needs to be a set of measures against which performance can be judged. It is important that the performance at the IT process level can be related back to the strategic business requirements. For example, if a strategic goal of an organization is to comply with EU privacy legislation, then it needs to process the personally identifiable data that it holds within legally defined parameters. The identity and access processes necessary to meet these requirements include:
- The organization needs to know what relevant data it holds and to classify this data accordingly.
- Identity management processes need to correctly manage the user’s lifecycle in a timely manner.
- The access management process needs to control which users have access to information. It also needs to ensure that users with privileged access do not make unauthorized access to data.
- Processes must be in place to monitor and review which users have access rights to the personal data and which users have actually made access.
Managing who can access what is fundamental to information security and to compliance with laws and regulations. Experience has shown that a technology-led approach to this is not effective; what is needed is good governance rather than more technology. One way to attain this is by adopting a holistic governance and management framework such as COBIT 5.