Maturity in Authorization management

Access Governance (AG) ensures that employees have the appropriate entitlements to perform their duties. A reliable Access Governance model makes sure that the proper base of entitlements are provisioned to them when starting a new job, transferring to a different department or begin start working for a different branch. To make the governance practices more transparent, companies should be aware of the maturity of authorization in the company. The goal is allowing employees to have the entitlements they require – not too many and not too few – which are based on attributes and position rights.

Access Governance, in this sense, is defined as the effective, transparent and verifiable manner for building and maintaining authorizations. Authorizations are the consent or permissions – privileges, access rights, applications and resources – to perform certain actions which determines what a person can do. This is not only limited to accessing to information but could also be facilities such as access cards/keys to security zones or clearance, work wear, laptop, smartphone, and other aspects that is applicable to your company.

AG, when implemented correctly, offers the employee a good foundation to start his or her work on the first day and offers the possibility to employees to request resources that are associated with their work. This means if an employee of HR can only apply for HR related rights and nothing related to the financial affairs department, it is a secure method to implement. AG increases the productivity of employees and thereby increases the profit of an organization. 

Important for organizations, who need to be complaint to corporate governance practices like: Sarbanes-Oxley Act (SOX), HIPAA, ISO or other standards, is a transparent model. IT and its related processes become transparent which enables the organizations to enforce policies, assess risks, reduce fraud and thereby become compliant to auditing.

 

 

The maturity of authorization management varies per organization. Tools4ever, with its years of experience in Identity and Access management has defined 6 stages of maturity.

– First stage – Copy users: Often seen in smaller companies but not unfamiliar to larger companies is a copy user. If a new employee gets hired the manager gives the name of a person with a similar job and this services as a “template” for the new employee in creating his account.

– Second stage – Templates: Follows naturally because of the complication which arrives after using copy user for some time. These complications are an accumulation of access permissions and resources which results in a high risk and unable to comply to audits, but also higher costs. Applications such as Microsoft Visio, Adobe Creative suite, and business applications are expensive, especially when licenses are provided t users that do not require them.

– Third stage – Profiles: This is a big step for many organizations. This is the first step where not only IT is involved also the business management is involved in this process. Without professional guidance this process can take months or even years to implement and by that time, the profiles are most often outdated.

– Fourth stage – Email procedures: This is the first process is transparent and allows mid- to senior managers to apply policies, which often result in administration via email. Some organizations will use SharePoint or other web based portal for their procedures.

– Fifth stage –  Spreadsheet: One or more persons become responsible for the process which leads to a spreadsheet or other dynamic format of keeping track of the profiles and procedures. At this point most organizations have created a transparent process which allows them to be able to see if they are compliant with rules and regulations.

– Sixth stage – Customer database: At this stage, more people have access and there is a clear separation between IT and the business. The organization has met its functional goal of Access Governance however the introduction of Separation of Duties, auditing, quality control and the ability to apply independent standards and rules is often not feasible or very difficult

The first step organizations should always do is confirm principles of the project. This will include looking at audit findings, any business case data and other requirements of the organization. The latter concerns, for example, the type of compliance framework, for example, SOX for insurance or other financial organizations, HIPAA for healthcare organizations.

The second step is the introduction of Access Governance Principles & Analysis Method to the organization. This step involves a presentation to the stakeholders and various other management personnel explaining both Access Governance principles and methodology. This step is crucial, from this moment onwards everyone will be “on the same page”. The organization itself will gain insight into how they can implement the management of permissions through Access Governance within the organization and how it relates to the principles of the project. After this step, the actual analysis of data begins.

When implemented correctly, AG offers advantages in terms of control costs, reduce security risks, increase the productivity of the new employee and reduce the management burden. The benefits are greater if AG is also used when a change of position, department or location occurs.

Without an automated solution, it is often a challenge to assign an employee, at one time, the right resources. The challenge is greater when it is required that:

  • Changes need to be implemented quickly, e.g. within one day or less instead of 5 days;
  • Any change needs to be audited;
  • The manager requires direct insight into resources allocated;
  • Resources should be revoked or modified when an employee’s function changes or upon termination of employment;
  • The organization desires for Employee Self Service.

Within the AG module, there can be the ability to control access to resources from two areas:

  1. The definition of what the minimum resources an employee requires to carry out his / her work within the organization. This is the so-called role modeling.
  2. Verification of the roles model within the organization properly applied and any discrepancies are alleviated.

Over the past four years I personally have seen many organizations struggle with these issues. The two key success factors in the 300 implementations I personally have seen regarding identity management are, setting the right goals at the beginning (determining the base line and goals) and choosing a partner with experience who knows to ask the right questions. Our organization has helped over 3,000 organizations in North America alone and has created a best practice method for implementing these complex solutions. On our website you can find many more blogs, articles and white papers that can help your organization.