Governance over IT systems is becoming increasingly important as information is accessed from a wider variety of devices and locations than ever before. The need to manage employee access in a controlled and responsible way is a duty of concern to all organisations in order to reduce organisational risk and meet compliance.
Governance can be seen as the framework of processes and practises that support the strategic direction of a company and the ability to measure them against risk, compliance and regulatory objectives. In order to achieve this, the IT strategy must ensure that staff ONLY have access to the necessary assets to do their job, and no more, thus enforcing the principle of ‘least privilege’.
Identity Management Systems have been developed to automate the expensive and time consuming task of provisioning and de-provisioning employee access. However there is a gap between the IT identity strategy and implementation. Current tools can tell us ‘who has access’, but not ‘why or whether they should have access’ or ‘what is the minimum access” required to perform a given role.
idax has been specifically designed to fill the void between IT strategy and the provisioning of access, thus complementing existing IDM systems.
idax gives a single view across the organisation thus strengthening the governance framework by providing the intelligence to comply with information, audit, regulatory and oversight responsibilities.
idax shows what people currently have access to, what they SHOULD have access to and what they SHOULDN’T have access to as well as the associated risk to the company, thus enabling the implementation of ‘least privilege’.
Click here to see a full review of identity governance in the isaca white paper
Group membership is central to managing identities. An identity is a person (or system account) with access rights at a certain point in time. To properly manage identities they need to be collected into groups of like individuals. These groups may be:
- organisational (eg departments)
- functional (eg roles)
- locational (eg geographic).
idax also aggregates people into groups based on their similarity to other people in the organisation. Once people are aggregated into groups it is possible to measure their degree of difference or similarity to other members of the groups based on their access rights. This, together with the degree of importance of the assets they have access to, is used to calculate their risk.
If the world stood still and nothing ever changed, there would be little need for access controls. However, in large organisations, things change continuously and the need to monitor, analyse and measure access rights is of great importance in terms of security.
There are a number of events that will trigger the assignment or removal of rights.
- A new person joins and needs access rights to do their job
- An employee leaves and access rights need removing
- A person changes department or role and access rights need adjusting
- A new application is acquired and needs assigning
- An employee is given additional responsibilities which alters their access requirements
idax provides intelligence to support these changes. By using analytics idax is able to determine, in real-time, a risk score for the individual in each group they belong to. These risk scores are then used to evaluate whether provisioning is safe or requires review.
This is explained in greater detail here:
Audit & Regulatory
Most companies will have internal or external audits of their access rights in order to meet standards of compliance. The audit will require those tasked with access management to demonstrate that regulatory and company standards are met; the principle of “least privilege” is followed and that all accounts are terminated when an employee leaves.
Responsibility to ensure staff have “least privilege” access rests with management who are coming under increasing pressure from legislation and regulation:
- EU Data Protection fines
- NIST Cyber Security Framework
- HMG – 10 Steps to Cyber Security
- PCI Compliance
- ISO 27k compliance
idax is designed to support these functions and demonstrate compliance with standards. For example, access accounts are often still in place when someone leaves the company. Even when the application access rights are removed, underlying access to the information through Oracle and Unix accounts are often missed. idax will spot these and report on them as requiring review and clean-up.
Key Risk Indicators
Good governance is not only about having the policies in place to dictate how information should be managed. It is also about being able to measure the status of the policies and hold the right people accountable for the performance of those policies.
idax provides an Organisation with the tools to identity and quantify risk, set targets and measure progress against those targets. Accountability can be measured at the department, role and asset ownership level. Senior management can set targets for their managers and track progress. In turn idax gives managers the tools to monitor the risk of the individuals in their control area and specific information on how to lower the risk through access management.
idax analytics does not require rules to be programmed in before an organisation can start to use it. Its highly sophisticated analytics algorithms do all the hard work. They will perform groupings, calculate risk and highlight outliers. For the assets, they can extrapolate from the data which applications are high risk and which are not, automatically weighting them accordingly. idax can also
infer toxic combinations all from the distributions patterns of the data. And for many organisations this will be all they ever need.
However, we recognise that some organisations may need to refine their toxic combinations or cater for very complicated scenarios. It may also be necessary to adjust the automatic weightings that idax can assign to an organisations assets based on precise knowledge of those applications or the fact that a group are restricted under certain compliance standards and need to be treated with care, for example Sarbanes-Oxley. idax is able to accommodate these unique provisions.