IDENTITY GOVERNANCE & ADMINISTRATION

Know who accesses what and why.The goal of identity and entitlement governance is simple: "the right authorization; the right person; the right time".

One of the first objectives of IGA is the implementation of centralized and reliable repositories, allowing the dissemination of quality information within the Information System: Identity Repository: A master repository containing all the identities of the users of the Information System; they can employees, trainees, temporary workers, service providers… as well as suppliers or partners. This type of repository is able to centralize other types of additional data, such as organizational structure or location information. Repository of accounts and rights: here we want to build a repository of theoretical rights for users, enabling the authorizations of a person within the IS to be known at any time. Sharing of reference data: here, the aim is to enable the distribution and use of reference information by the other applications / services making up the IS, which may take place via access through a protocol such as LDAP, exposed APIs or a data synchronization engine.

Centralized repository

One of IGA’s first objectives is the implementation of centralized and reliable reference systems, allowing the dissemination of quality information within the Information System:

Identity repository :

  • The aim is to build a master repository containing all the identities of the users of the Information System, whether employees, trainees, temporary workers, service providers, etc., but this may also concern suppliers or partners.
  • This type of repository is able to centralize other types of additional data, such as organizational structure or location information, for instance

Accounts and rights repository: the objective is to build a repository of theoretical user rights, allowing to know at any time the authorizations of a person within the IS.

Sharing of reference data: the aim is to enable the distribution and use of reference information by the other applications / services composing the IS, which can be via access through a protocol such as LDAP, exposed APIs or a data synchronization engine.

Life circle of Identities

In order to keep the identity repository up-to-date, it is essential to manage the associated lifecycle (arrival, mobility, departure) within the organization.
This can be done via:

  • Setting up data flows to import information from a master system, for example the HR IS;
  • The implementation of functional processes to manage the different types of movement.

Note: the two approaches can be specific to the user profile or it can be combined.
It is then a matter of providing this information in the different target systems, with the creation of “user” accounts for example.

Managing authorizations

The correct management of authorizations has to meet different needs:

  • Catalog of rights / resources: first, we need to define a list of the rights or resources available within the organization, doing so in a vocabulary that is understandable to the end user.
  • Request management process: used to make user-initiated access requests which will then follow a validation process (this feature must also allow the modification or deletion of rights).
  • Roles model and predictive assignment: we use this to create a roles model that is then used to build sets of rights, and to automatically assign these rights (or not) to users based on rules.
  • Segregation of Duties (SoD): this involves defining incompatibilities of rights or roles and implementing rules for preventive (at the time of a request) or after-the-fact detection (control reports for example).
  • Provisioning of rights: here, the validated theoretical rights are automatically or manually provisioned in the target systems.
Build your
Cybersecurity
with Synetis!

Governance / Audit and Compliance

From an auditability and compliance perspective, Governance embraces several approaches:

  • Traceability and reporting: all the actions carried out on the accounts and rights are traced, allowing the use of standard reports or specific reporting.
  • Risk management: by defining a level of risk on the different rights available, we can target controls to users according to the risk to which they are exposed.
  • Reconciliation of real and theoretical rights: here, we make sure that the rights applied for and the right approved correspond to real rights in the target systems (automatic comparisons between the two can be made).
  • Account certification: here, we make sure that a user’s rights are always in line with his activity, regular revalidation campaigns of rights can be run (for example via the line manager or the owner of the resource).

Self-Service

A further goal of Identity Management and Authorization Management is to decentralize the need for top-down management actions. This entails providing users with interfaces to:

  • Change or add data
  • Issue access requests
  • Set up a delegation of responsibility
  • Manage their password on their own (change and reset), also setting up password propagation mechanisms in the different target systems.

Managing Identities and Authorizations

  • We boast several consultants with broad and deep experience in the management of Identities and Authorizations; average experience of more than 4 years in Integration and 7 years in Consulting and Project Management.
  • 5+ Active partnerships with major software companies (IBM, Ilex International, Kleverware, SailPoint, Saviynt) and real expertise with other software companies such as Brainwave, One Identity, Microsoft, NetIQ, Sun IDM…
  • 30+ certifications acquired from software companies
  • 120+ Projects in progress (as of August 1, 2020, including 75+ new projects in 2020 of all sizes (from a few dozen days to more than 1000 days) and of all types (scoping, Project-Owner Support, audits, integration, TPAM, CDS), with a contractual commitment as to results (fixed price) or as to means (management).

DAG: Data Access Governance

  • Office documents, but also other formats (PDF, video…) may contain sensitive data to be protected, which must be classified before managing and controlling access authorizations.
  • Initially focused on internal file systems, the issue of documents stored in the Cloud must now also be addressed.