The Importance of Governance in IAM
Tools4ever recently introduced the new HelloID Governance module. With this module, we extend the core Identity Management modules with a set of tools to regularly evaluate and optimize your identity management. The tools help you better integrate access rights management with your broader operations and keep it compliant with existing laws and regulations. Examples of such tools are Reconciliation, Toxic Policies management, Role Mining, and Recertification. What can you do with this feature and what benefits will you gain?
.webp)
From Identity Management to Identity Governance
Many organizations today are almost fully digitized, and identity management has become a critical business process; operations come to a halt if systems are not accessible. You must also be demonstrably compliant with strict privacy legislation and security guidelines. Non-compliance affects the organization as a whole because your Identity and Access Management is now interwoven with your entire IT landscape. For the CIO or IT manager it is therefore an important agenda item, and identity management has been elevated from an IT administration process to a key governance topic.
That is why we have invested in a Governance module for HelloID with tools that work seamlessly with the existing Provisioning and Service Automation features. This allows us to identify and remediate inconsistencies between systems, further optimize policies, and prevent users from using unwanted or unnecessary IT facilities. We illustrate this below with four examples.
Maintain control over your target system
One of the key gains we achieve with the governance functionality is that you keep your IAM platform and the connected target systems in sync.
With HelloID you can in principle manage all accounts and access rights. Even so, inconsistencies can arise between your IAM platform and the connected target systems. For example, because administrators still create and update accounts or rights manually. Previously it was very difficult to identify such mismatches, but with the Reconciliation tool we automate this. We can now regularly upload the actual configurations of target systems and compare them directly with the HelloID data. This allows you to:
Discover which accounts and access rights are present in specific target systems but are not yet managed within HelloID. And vice versa:
Discover which accounts and access rights are registered in HelloID as managed but do not yet exist in the relevant target systems.
HelloID compiles reports of these differences and shows options to resolve the mismatches. You can clean up unmanaged accounts in target systems if they are unnecessary clutter, or you can bring such accounts under management because they are in use, for example as a service account. You can also have accounts that are registered in HelloID but missing in the target systems created after all.
With Reconciliation you gain more control over your target systems. You automatically compare the desired state (SOLL) in HelloID with the current state (IST) in your target systems. You can easily detect and correct inconsistencies. In this way your compliance is not only safeguarded in theory within HelloID. You can also guarantee actual compliance in your target systems.
Prevent damage caused by conflicting access rights
HelloID provides an automated mechanism to detect conflicting access rights and remove them. This keeps you compliant and prevents unnecessary costs.
Within HelloID Provisioning, multiple business rules can apply to one employee. For example, organization-wide rules, rules for someone’s department, and job function-specific rules. As a result, duplicate or contradictory rights can sometimes be assigned unintentionally. A manager, for example, links an employee in the HR system to two job functions. The result is that this colleague now accidentally receives two conflicting rights. He or she may both enter invoices and approve them, which of course does not fit within your 'segregation of duties'. It can also happen that duplicate licenses are granted unintentionally. Organization-wide it was once determined that everyone receives a Microsoft E3 license by default. Later a rule was added that IT administrators now receive an E5 license due to their job function. Through these two rules, IT administrators now receive two licenses.
With the Toxic Policies functionality we can now identify these types of conflicting rights and determine how to handle them. For example, you configure that E3 and E5 licenses conflict and that in such a case only an E5 license should be assigned. The user concerned receives a notification about this and the license is not applied in the target system. If rights were granted earlier and a rule was created for this only later, the relevant right will still be withdrawn. Toxic Policies management therefore works not only preventively but also retroactively.
With your Toxic Policies management you therefore identify and remove conflicting access rights and user accounts. This gives you an extra safety net at all times to safeguard compliance and prevent unnecessary licensing costs.
Develop and optimize your role model
A solid, future-proof role model is the foundation for worry-free access rights management. That is why we ensure that you can set up an initial foundation for your role model without friction and expand and optimize it step by step.
During the initial rollout of your automated provisioning we often use the Role Mining methodology. You combine data from your source systems and previously granted accounts in target systems to develop a first baseline role model. At the same time, such an initial model is of course not set in stone. You can refine it further and circumstances naturally change as well. Departments are merged or split, new job functions are created, systems are replaced, and new applications are added. A role model is therefore a living construct that you want to reassess regularly and adjust where needed.
That is why we have now built Role Mining functionality into the Governance module. With the help of pattern recognition, HelloID regularly provides recommendations to optimize your authorization model. With Role Mining you analyze your existing authorizations to create a model that closely matches the needs of your organization.
With the built-in Role Mining feature in the Governance module you can therefore not only create an initial role model. You can then continue to improve and optimize this model over time. This aligns perfectly with the current ISO 27001 and similar security standards. In those standards such an active Plan-Do-Check-Act cycle is an important requirement. This functionality is not yet available, but it will be added gradually this year.
Prevent permission creep and high licensing costs
HelloID makes it possible to periodically verify whether individually granted applications or rights are still needed and appropriate. This prevents users from accumulating permissions and saves on expensive applications.
Through Service Automation you can grant individual accounts and rights. The risk is that such rights are sometimes granted for an unlimited time. Managers do not always check afterward whether the rights are still needed. Previously granted accounts and rights may also no longer fit your organizational policy.
We can prevent this with the Recertification tool. With it you can schedule regular reviews for previously granted licenses and rights in which the involved managers complete a new verification process. Based on that, the employee keeps the license or it is withdrawn. If the software is no longer supported by the IT department, an alternative can be offered.
You can schedule Recertification by using campaigns. So-called system campaigns are used to evaluate accounts and rights across the organization. For example, whether applications still fit within IT policy. Managers can also set up their own campaign with a specific scope. Security officers may want to evaluate which employees have access to privacy-sensitive applications and data. Department managers may want to run campaigns for expensive licenses within their own department. After running such a campaign you can use the 'campaign insights' as a manager and revoke or renew rights.
With Recertification we gain more control over the IT resources used within the organization. We prevent users from retaining unnecessary or unwanted rights. We also do this efficiently because you can run your recertification campaigns automatically.
Learn more about the Governance module?
With the Governance module we have invested in tools that work seamlessly with the existing HelloID modules. The benefits are already noticeable from the initial HelloID rollout. That applies not only to the Role Mining tool, which is of course useful when setting up your first role model. For many customers the Reconciliation functionality also proves extremely useful during the first implementation. They now have, for the first time, real insight into the accounts and rights granted in the past in, for example, your Active Directory. And with Recertification or Toxic Policies these tools help from the start to manage your accounts and rights as effectively as possible.
Together we can transition to identity management that is not only organized securely and efficiently but can also be continuously optimized and is demonstrably compliant with all current laws and regulations.
Want to learn more about the HelloID Governance module? Watch our webinar and see in live demos how to apply Governance effectively in practice.