According to the NIST Cybersecurity Framework, the ability to identify, detect, prevent, respond, and recover are important control capabilities for organizations to maintain in the constant battle to effectively manage access management policies, risks, and compliance requirements. In the past, one of the most effective ways to achieve this was by deploying Identity and Access Management solutions (IAM).
However, modern security threats and regulatory compliance requirements have compelled organizations to not just manage access but also govern users after they have been granted access to applications. This need has led to the creation of Identity Governance and Administration (IGA), a capability that enhances existing IAM benefits by extending controls well beyond the point of access.
The goal of IAM solutions is to assist organizations with managing all user access to systems and data, with the emphasis on maintaining the confidentiality and integrity of the data. IAM also incorporates features to effectively achieve risk and compliance objectives. Unfortunately, IAM solutions typically do not effectively monitor user activity within the application to detect anomalies and threats. Identity Governance & Administration fulfilled this lack of internal control.
IGA is defined by Gartner as an “activity within the identity and access management function that concerns the governance and administration of a unique digital representation of a user, including all associated attributes and entitlements.”
Simply stated, IAM capabilities help organizations manage user access to applications and data, while IGA capabilities help organizations monitor and govern user activities within the application, to detect and respond to user anomalies or policy exceptions. Together, IAM and IGA can enable a more holistic solution to enable identification, detection, prevention, response, and recovery.
Authentication is your first line of identity and access management defense intended to verify the user’s identity. The old authentication method of using only a unique ID and password is no longer enough to effectively manage the inherent risks associated with access management.
Look for a solution with more advanced authentication features that add additional control measures such as Zero Trust and multi-factor authentication (MFA). Furthermore, IAM solutions that can be configured to enforce MFA during the initial login, when the user attempts to access critical transactions, and again when the user attempts to access critical data fields offer more effective layers of security controls than a single MFA requirement during the initial login.
(The NIST 800-207 provides valuable guidance on implementing the zero-trust security model.)
Authorization is your second line of identity and access management defense because it always takes place after authentication. The authorization process determines what resources and level of access the user is allowed based on pre-configured roles.
Older and less effective authentication methods are based on the Role-Based Access Control (RBAC) security model. Look for an IGA solution based on the Attribute-Based Access Control (ABAC) security model because it allows access controls to be configured based on specific policy requirements. An added benefit would be if the solution could enable automated policy enforcement across your organization.
Furthermore, ABAC allows access controls to be configured based on selecting multiple combinations of attributes (e.g., user, action, resource, or environmental attributes) to create highly effective preventative and detective controls at the SoD, transaction, and data field level.
Also, ABAC can enable the configuration of access controls with reactive and adaptive security capabilities that can respond to anomalies and incidents by restricting or shutting down access. Therefore, using the ABAC security model enables organizations to leverage the desirable IGA capabilities for better monitoring, detection, and response to policy exceptions.
User management typically involves user provisioning, de-provisioning, access recertification, password management, and elevated access management (EAM) processes.
Look for a solution that can automate the user management process and offers continuous access risk analysis at the SoD, transaction, and data field levels. And a recommendation engine to help you detect and avoid critical access risks such as segregation of duty security violations or transaction risks such as fraud.
The EAM feature should include detailed, auditable reports of all activity performed and automatic access time-out features. In addition, EAM features should enable effective control – such as MFA – across multiple platforms and the use of ABAC to enable dynamic security controls based on contextual attributes.
Additionally, consider an IGA solution that allows continuous control monitoring (CCM) at the SoD, transaction, and data field levels to improve your detection and reporting of user anomalies and threats.
Security governance is a set of responsibilities and practices exercised by senior executives with the goal of:
Basically, the expectations of your company’s senior executives are communicated through policies. Look for a solution that enables effective monitoring, detection, and response capabilities to user anomalies and policy exceptions. Pay close attention to the response capability because it can vary dramatically across solutions. For example, some IGA solutions merely record the user anomalies and/or policy exceptions in a report to be read by someone at a later time.
Look for real-time reporting capability from an analytics tool that sends a notification to the appropriate persons who can immediately solve the problem. This analytics portion of the IGA solution should provide a detailed analysis of user behavior at the transaction and data field level to support more effective monitoring – another feature that varies dramatically between different solutions.
The traditional method of manually creating and communicating thousands of policies requirements followed by periodic manual assessments to validate the effectiveness of the organization’s policy program is time-consuming, costly, reactive, difficult to update, and error-prone. It is just not effective enough to provide the level of policy assurance required by senior management for their risk and compliance objectives.
An IGA solution that leverages the ABAC security model is vital because it configures access controls based on specific policy requirements. This ability also allows you to automate policy enforcement across your organization. Before you zero in on the solution, pay close attention to how the policy-based access controls are configured within the solution.
Some IGA solutions require a one-to-one configuration effort, while others allow the more desirable one-to-many configuration. For example, suppose you wish to create a policy-based access control for a PII data field such as social security number (SSN). In that case, the one-to-one configuration effort means every instance of the SSN data field on every page of the solution will require the access control to be configured.
That’s a tremendous amount of time to configure and make future configuration changes. Alternatively, the one-to-many configuration effort means you configure one policy-based access control that is automatically applied to all instances of that SSN data field through the entire solution.
As compliance regulations tighten their grip on both private and public organizations, it is becoming imperative for security and compliance teams to deploy identity and governance solutions that enable dynamic and layered controls within their applications. IGA solutions that possess the governance capabilities mentioned above allow you to mitigate your overall risk by restricting access at multiple levels and achieve compliance goals by continuously monitoring control efficiency and user activity. Additionally, these multi-layer controls and continuous monitoring also create a framework for proactive detection and prevention of threats, thereby improving your organization’s security posture.
Pathlock’s Application Access Governance (AAG) delivers multiple, layered security controls that can be implemented inside business applications like SAP, Oracle EBS, JD Edwards, and more. These controls continuously monitor user activity, assess risk, and enable security and compliance teams to enforce fine-grained policies based on the context of access, risk parameters, and compliance requirements. Pathlock’s cross-app capabilities also allow access management and policy enforcement across multiple applications using a single interface.
Access Risk Analysis: Pathlock’s Access Risk Analysis harnesses powerful automation to minimize risk and reduce associated costs. It streamlines identifying and remediating SoD conflicts and sensitive access risks. Traditional access control solutions only show you what users can do. Pathlock investigates transaction usage, correlates the data, and identifies what users actually did do across diverse applications, so your team can focus on the highest-priority risks first.
Compliant Provisioning: The Compliant Provisioning module automates single-system, multisystem, and cross-application user access provisioning. It helps requestors find the right role, tracks each request, and archives approvals and supporting documents. Integrated with the Pathlock Access Risk Analysis module, it offers scalable real-time Separation of Duties (SoD) and Sensitive Access analysis so requestors, approvers, and auditors understand the risk implications of each request. It also provides configurable and email-enabled workflows, digital signature support, and automatic mitigation assignments.
Access Certification: Pathlock’s Certifications module streamlines the process of reviewing application access, which is often mandated quarterly by regulators and auditors. It automates data collection, review distribution, and result tracking, empowering reviewers to make informed decisions on whether to approve or revoke access. The module also provides an audit trail to demonstrate that recertifications have been performed.
Elevated Access Management: Elevated Access Management by Pathlock allows you to grant urgent or scheduled temporary privileged access rights to a user who does not typically have that type of access. It enables you to swiftly and easily authorize access for a specific duration, automatically revoke the access at the end of the specified period, and monitor and review the actions performed by the user during the access period.
Role Management: The Role Management module enables a compliant role lifecycle. It facilitates an understanding of potential risks within roles, unused and underutilized access within roles, potential options for adjusting the role design to remove risks, and the ability to group roles into single and multi-app business roles for simplified and faster user access assignments.
Schedule a demo with our IGA specialists to learn how you can implement controls that enhance security and compliance within your applications.
Share