IDENTITY GOVERNANCE & ADMINISTRATION
Know who accesses what and why.The goal of identity and entitlement governance is simple: "the right authorization; the right person; the right time".
One of IGA’s first objectives is the implementation of centralized and reliable reference systems, allowing the dissemination of quality information within the Information System:
Identity repository :
- The aim is to build a master repository containing all the identities of the users of the Information System, whether employees, trainees, temporary workers, service providers, etc., but this may also concern suppliers or partners.
- This type of repository is able to centralize other types of additional data, such as organizational structure or location information, for instance
Accounts and rights repository: the objective is to build a repository of theoretical user rights, allowing to know at any time the authorizations of a person within the IS.
Sharing of reference data: the aim is to enable the distribution and use of reference information by the other applications / services composing the IS, which can be via access through a protocol such as LDAP, exposed APIs or a data synchronization engine.
Life circle of Identities
In order to keep the identity repository up-to-date, it is essential to manage the associated lifecycle (arrival, mobility, departure) within the organization.
This can be done via:
- Setting up data flows to import information from a master system, for example the HR IS;
- The implementation of functional processes to manage the different types of movement.
Note: the two approaches can be specific to the user profile or it can be combined.
It is then a matter of providing this information in the different target systems, with the creation of “user” accounts for example.
The correct management of authorizations has to meet different needs:
- Catalog of rights / resources: first, we need to define a list of the rights or resources available within the organization, doing so in a vocabulary that is understandable to the end user.
- Request management process: used to make user-initiated access requests which will then follow a validation process (this feature must also allow the modification or deletion of rights).
- Roles model and predictive assignment: we use this to create a roles model that is then used to build sets of rights, and to automatically assign these rights (or not) to users based on rules.
- Segregation of Duties (SoD): this involves defining incompatibilities of rights or roles and implementing rules for preventive (at the time of a request) or after-the-fact detection (control reports for example).
- Provisioning of rights: here, the validated theoretical rights are automatically or manually provisioned in the target systems.
Governance / Audit and Compliance
From an auditability and compliance perspective, Governance embraces several approaches:
- Traceability and reporting: all the actions carried out on the accounts and rights are traced, allowing the use of standard reports or specific reporting.
- Risk management: by defining a level of risk on the different rights available, we can target controls to users according to the risk to which they are exposed.
- Reconciliation of real and theoretical rights: here, we make sure that the rights applied for and the right approved correspond to real rights in the target systems (automatic comparisons between the two can be made).
- Account certification: here, we make sure that a user’s rights are always in line with his activity, regular revalidation campaigns of rights can be run (for example via the line manager or the owner of the resource).
A further goal of Identity Management and Authorization Management is to decentralize the need for top-down management actions. This entails providing users with interfaces to:
- Change or add data
- Issue access requests
- Set up a delegation of responsibility
- Manage their password on their own (change and reset), also setting up password propagation mechanisms in the different target systems.
Managing Identities and Authorizations
- We boast several consultants with broad and deep experience in the management of Identities and Authorizations; average experience of more than 4 years in Integration and 7 years in Consulting and Project Management.
- 5+ Active partnerships with major software companies (IBM, Ilex International, Kleverware, SailPoint, Saviynt) and real expertise with other software companies such as Brainwave, One Identity, Microsoft, NetIQ, Sun IDM…
- 30+ certifications acquired from software companies
- 120+ Projects in progress (as of August 1, 2020, including 75+ new projects in 2020 of all sizes (from a few dozen days to more than 1000 days) and of all types (scoping, Project-Owner Support, audits, integration, TPAM, CDS), with a contractual commitment as to results (fixed price) or as to means (management).
DAG: Data Access Governance
- Office documents, but also other formats (PDF, video…) may contain sensitive data to be protected, which must be classified before managing and controlling access authorizations.
- Initially focused on internal file systems, the issue of documents stored in the Cloud must now also be addressed.