It’s a fair assumption that you’re not measuring your organisation’s identity access governance (IAG). And, if you are, it’s likely to be via an indirect measure, such as the risk of data breaches. But first, let’s begin by defining the functional pillars of identity governance as privileged identity management, access management and identity lifecycle management.
IAG is more than just ensuring compliance to the next rapidly approaching audit. It’s about providing a frictionless operating environment to lead your business towards growth whilst reducing your exposure to risk.
It is an ongoing program of defining, implementing and monitoring the effectiveness of the controls that you have put in place. Without this, it can be difficult to maintain the right level of corporate sponsorship and secure ongoing investment into IAG.
The effects of IAG, especially in the area of risk-based governance, can’t always be easily quantified using traditional ‘cost-saving’ ROI methods. Yet, measuring is vital to maintain a clear business case for IAG initiatives.
To avoid nasty surprises, such as a failed audit or security vulnerabilities, we suggest the following five practical steps as a starting point.
- Assess your organisation’s IAG maturity. Determine what is and isn’t feasible within your current posture. Failing to do so will lead to frustration, misspent money and wasted time – and subsequently stalled or failed projects. ‘Maturity models’ can be a help. But since every company has a different IAG journey it’s likely you’ll have to develop a personalised version. And, if you’re embarking on the company’s first IAG initiative or deciding where to invest next, you should ask about investments the company is making into digital acceleration, how can IAG help there, and how well positioned - given the potential investment - your company is to move up the maturity model to your intended target?
- Prepare a complete picture of the status quo. This will be vital in determining your Key Risk Indicators (KRI). Risk derived from operational factors such as inconsistencies, availability, redundancies and compliance, carries negative potential for your company. Include all categories of user persona and provide a risk landscape to evaluate. For example, many organisations have hundreds of SaaS products live at any one time and no clear processes defined/implemented for identity lifecycle around them. Identify ‘access silos’ that operate by different rules. Consider the privileged identity management pillar, and how IAG applies to elevated system administration functions within key business applications, such as finance, and consider the nature of this access from outsourced contractors and vendors. Define how new accounts can be created and accessed in the future to resolve problems whilst reducing your risk exposure. Model the risks inherent in your approach. And don’t be afraid to call in the experts when you lack the internal skills to make these calls. Often a fresh pair of eyes provides a different and useful perspective.
- Fill the gaps. Work with your teams to build an approach that irons out inconsistencies whilst defining and implementing controls that are enforced and reported by the IAG system. Depending upon the nature of the company and the prioritised problems from Step 2, this approach may be policy or technology based. In either case, you’ll need to ensure that appropriate controls are in place and they can be measured. Controls such as ‘segregation of duties’ (SoD) help eliminate combinations or types of access that pose a security risk. Assign ownership to key applications and privileged identities with a unified ‘centre’ for access that includes two-factor authentication, plus monitoring and recording of access.
- Establish, monitor and share key IAG goal and performance indicators. Ensuring that your IAG controls are working and you’re on your way to meeting your goals is essential to planning and knowing where to stop. Sharing these results with your sponsors helps to ensure the longevity of investment into the phased IAG program of work. There are many ways and many perspectives when measuring the success of an IAG project. KPIs needn’t be hard to define; some are very tangible, whilst others are likely to be trends. Ask yourself whether the trends are increasing or decreasing, what is a justifiable and acceptable steady state to the trend? Examples could include passing your IT audit; reducing the number of orphan/dormant accounts; providing secure access request/release for privileged system accounts; end-user authentication; increasing the number of systems supporting single sign-on (SSO) to reduce the number of passwords; and reducing the number of segregation of duties (SoD) failures by effective access request.
- Regularly monitor and review your approach, manage by risk. IAG should be considered an ongoing journey of continual refinement of KPIs, as business goals inevitably change over time. IAG is not a one-off program with a beginning, middle, and end. Stops and route changes must occasionally be observed to ensure you’re gaining maximum value.
Governance is about improvement, accountability and responsibility. And there are clear and quantifiable benefits to be had from effective IAG. Successful IAG initiatives deliver much more than protection against the cost of crime and data breaches. A risk-aware enterprise that provides secure and effective access puts itself in the very best position to be competitive and innovative in an increasingly aggressive global marketplace.
About the Author
As Technical Director for EMEA at One Identity, Paul Walker is committed to supporting customers achieve their digital goals through the adoption of IAM.