Share :
IGA offer
The objective of identity and authorization governance can be summed up in one simple phrase: “ the right right right to the right person at the right time “.
Based on this initial postulate, it is then a question of answering various questions such as :
- What are the identities of Information System users?
- What rights do they have to Information System applications?
- Why were these rights granted?
- Are these rights still legitimate and compliant?
The answer to these questions requires addressing the governance of identities and empowerments along several axes:
- An organizational axis, taking into account the size of the company, its geographical distribution, its mode of governance, etc. ;
- A functional axis, linked to the organization’s internal processes, activities, regulations to be complied with, etc. ;
- A technical axis, depending on the complexity of the Information System, the history of its construction, a possible transition phase to the Cloud, etc.
Centralized repository
One of the IGA’s primary objectives is to set up a centralized, reliable repository, enabling quality information to be disseminated within the Information System:
- This involves building a master repository containing all the identities of Information System users, be they employees, trainees, temporary staff, service providers, etc., but it may also concern suppliers or partners;
- This type of repository is able to centralize other types of complementary data, such as organizational structure or location information.
The aim is to build a repository of theoretical identity rights, enabling you to know at all times what an identity is used for within the IS.
This means enabling reference information to be distributed and used by the other applications/services making up the IS. This can be through access via an LDAP-type protocol, exposed APIs or a data synchronization engine.
Identity Life Cycle
In order to keep the identity repository up to date, it is essential to manage the associated life cycle (arrival, mobility, departure) within the organization.
This can be done via :
- Setting up data flows to import information from a master system, for example the HR IS ;
- The implementation of functional processes to manage the different types of movement.
The two approaches can be specific – depending on the population – or combined.
The next step is to provision this information in the various target systems, with the creation of “user” accounts for example.
Clearance Management
Entitlement management responds to different needs:
The first step is to define a list of the authorizations and resources available within the organization, in a vocabulary that the end-user can understand.
It must enable you to make an independent access request, which will then follow a validation process (it must also enable you to modify or delete rights).
It is possible to create a role model that allows you to construct sets of rights, and to assign them or not to users automatically on the basis of rules.
This involves defining incompatible rights or roles, and setting up preventive detection rules (at the time of a request) or a posteriori (control reports, for example).
Finally, validated theoretical rights are provisioned automatically or manually in the target systems.
Governance / Audit and Compliance
From an auditability and compliance perspective, governance offers several approaches:
All actions carried out on accounts and rights are traced, enabling the use of standard reports or the construction of specific reporting.
By defining a risk level for the various rights available, it is possible to target controls at high-risk users.
To ensure that the rights requested and approved correspond to the actual rights in the target systems, automatic comparisons can be set up between these two states.
To ensure that a user’s rights are always in line with his or her activity, regular rights certification campaigns are possible, for example via the line manager or the resource owner.
Self-Service
Finally, the governance of identities and empowerments has the objective of decentralizing management acts.
Thus, it is possible to provide the user with interfaces for :
- Modify or add to your data ;
- Making access requests ;
- Delegating responsibility ;
- Manage your password independently (change and reset), by setting up password propagation mechanisms in the various target systems.
Governance of Identities and Empowerment at Synetis
A large number of consultants dedicated to identity and authorization governance, with an average experience of over 4 years in integration and 7 years in consulting and project management;
More than 5 active partnerships with major market players (IBM, Ilex International, Kleverware, SailPoint, Saviynt) and real expertise with other vendors such as Brainwave, One Identity, Microsoft, NetIQ, Sun IDM, etc. ;
Over 30 publisher certifications acquired;
More than 120 projects underway as of 01/08/2022, including more than 75 new projects in 2022, of all sizes (from a few dozen days to more than 1,000 days) and of all types (scoping, project management, audit, integration, TMA, CDS), with a commitment to results (fixed-price) or resources (time and materials).
DAG: Data Access Governance
- Not only office documents, but also other formats (PDF, video, etc.) may contain sensitive data to be protected, which needs to be classified before access authorizations can be managed and controlled;
- Initially focused on internal file systems, we are now addressing the issue of documents stored in the cloud.
