Governance over IT systems is becoming increasingly important as information is accessed from a wider variety of devices and locations than ever before. The need to manage employee access in a controlled and responsible way is a duty of concern to all organisations in order to reduce organisational risk and meet compliance.

Governance can be seen as the framework of processes and practises that support the strategic direction of a company and the ability to measure them against risk, compliance and regulatory objectives. In order to achieve this, the IT strategy must ensure that staff ONLY have access to the necessary assets to do their job, and no more, thus enforcing the principle of ‘least privilege’.

Identity Management Systems have been developed to automate the expensive and time consuming task of provisioning and de-provisioning employee access. However there is a gap between the IT identity strategy and implementation. Current tools can tell us ‘who has access’, but not ‘why or whether they should have access’ or ‘what is the minimum access” required to perform a given role.

IDAX_PYRAMID-01idax has been specifically designed to fill the void between IT strategy and the provisioning of access, thus complementing existing IDM systems.

idax gives a single view across the organisation thus strengthening the governance framework by providing the intelligence to comply with information, audit, regulatory and oversight responsibilities.

idax shows what people currently have access to, what they SHOULD have access to and what they SHOULDN’T have access to as well as the associated risk to the company, thus enabling the implementation of ‘least privilege’.

Click here to see a full review of identity governance in the isaca white paper


Group membership is central to managing identities. An identity is a person (or system account) with access rights at a certain point in time. To properly manage identities they need to be collected into groups of like individuals. These groups may be:

  • organisational (eg departments)
  • functional (eg roles)
  • locational (eg geographic).

idax also aggregates people into groups based on their similarity to other people in the organisation. Once people are aggregated into groups it is possible to measure their degree of difference or similarity to other members of the groups based on their access rights. This, together with the degree of importance of the assets they have access to, is used to calculate their risk.

Change Processes

If the world stood still and nothing ever changed, there would be little need for access controls. However, in large organisations, things change continuously and the need to monitor, analyse and measure access rights is of great importance in terms of security.

There are a number of events that will trigger the assignment or removal of rights.

  • A new person joins and needs access rights to do their job
  • An employee leaves and access rights need removing
  • A person changes department or role and access rights need adjusting
  • A new application is acquired and needs assigning
  • An employee is given additional responsibilities which alters their access requirements

idax provides intelligence to support these changes. By using analytics idax is able to determine, in real-time, a risk score for the individual in each group they belong to. These risk scores are then used to evaluate whether provisioning is safe or requires review.

This is explained in greater detail here:


When an employee joins a company, they are assigned to a role and a department and given access to the information and applications necessary to do their job.


idax automatically models a template from other group members and derives a set of employee assignments. This enforces the principle of “least privilege” and minimises manager involvement as they only need to review high risk assets.

This automation of the joiner process decreases processing time, lowers access risk and reduces costs.


When an employee changes role or department, their current access rights need modifying to fit their new job.

The area of ‘movers’ is where the problem of accumulated access rights may occur as ‘new’ rights are often added and none removed as administrators don’t know what to safely take away. To counter this, some organisations remove ALL rights and re-provision from scratch, often replacing many of the access rights that had just been removed. This is costly and causes downtime while the employee awaits access.


idax is able to analyse access rights and determine exactly what should be added/removed for the new role by comparing current access with the template for the new group. This minimises the number of transactions and enforces ‘least privilege’ at all times.

Costly manager time is reduced as only high risk people and assets are flagged for review.

New Permission

When an employee requests a new permission, it is difficult to know whether it will elevate access risk to an unacceptable level within the context of their group.


idax models the effect of the permission in real time and measures the risk changes for the individual, role and department. It suggests whether this is acceptable and should be processed or passed to a manager for review. Only high risk additions are flagged for review.

Using idax to automatically assess risk in real time speeds up provisioning, reduces risk and minimises reviews by managers.

General Controls

The Quarterly Review

Most companies have controls in place to manage identity access. These may be quarterly, half yearly or annual reviews by managers, who have limited knowledge of their employees’ access requirements. Without the right tools to support decisions, the review ends up being perfunctory as managers often recertify everything.

Internal reviews are often supplemented with a costly, external audit of employees’ access privileges on an annual basis. Due to the vast scale of the task, a subset of data that is perceived to be ‘high risk’ or ‘sensitive’ is selected for audit. The findings are less than optimal as they are not representative of the overall risk, nor are they accurate as employee access is constantly changing.


idax has automated this process using analytics so that ALL employees and ALL assets can be analysed as often as required, so nothing goes unnoticed. idax measures the risk of EVERYTHING but only reports by exception. This means that a manager will only be asked to review ‘high risk’ employees and the assets that caused the risk to be elevated.

This new approach to Identity and Access Management improves compliance, reduces cost and saves valuable time as managers only need to review a fraction of their team.

Audit & Regulatory

Most companies will have internal or external audits of their access rights in order to meet standards of compliance. The audit will require those tasked with access management to demonstrate that regulatory and company standards are met; the principle of “least privilege” is followed and that all accounts are terminated when an employee leaves.

Responsibility to ensure staff have “least privilege” access rests with management who are coming under increasing pressure from legislation and regulation:

  • EU Data Protection fines
  • NIST Cyber Security Framework
  • HMG – 10 Steps to Cyber Security
  • PCI Compliance
  • ISO 27k compliance

idax is designed to support these functions and demonstrate compliance with standards. For example, access accounts are often still in place when someone leaves the company. Even when the application access rights are removed, underlying access to the information through Oracle and Unix accounts are often missed. idax will spot these and report on them as requiring review and clean-up.

Key Risk Indicators

Good governance is not only about having the policies in place to dictate how information should be managed. It is also about being able to measure the status of the policies and hold the right people accountable for the performance of those policies.


idax provides an Organisation with the tools to identity and quantify risk, set targets and measure progress against those targets. Accountability can be measured at the department, role and asset ownership level. Senior management can set targets for their managers and track progress. In turn idax gives managers the tools to monitor the risk of the individuals in their control area and specific information on how to lower the risk through access management.


idax analytics does not require rules to be programmed in before an organisation can start to use it. Its highly sophisticated analytics algorithms do all the hard work. They will perform groupings, calculate risk and highlight outliers. For the assets, they can extrapolate from the data which applications are high risk and which are not, automatically weighting them accordingly. idax can also

infer toxic combinations all from the distributions patterns of the data. And for many organisations this will be all they ever need.

However, we recognise that some organisations may need to refine their toxic combinations or cater for very complicated scenarios. It may also be necessary to adjust the automatic weightings that idax can assign to an organisations assets based on precise knowledge of those applications or the fact that a group are restricted under certain compliance standards and need to be treated with care, for example Sarbanes-Oxley. idax is able to accommodate these unique provisions.