IAM Best Practices Blog Series: Access Governance Not Working Well? Here’s How to Fix It

One of the biggest impediments to effective identity governance begins at the planning stage with determining who owns the identity function in the business. In an Identity Defined Security Alliance (IDSA) survey of non-IT stakeholders who play a part in the identity workflow and security considerations, it was discovered that many departments within a business owned a part of the total identity footprint. Seventy-eight percent of respondents reported that multiple groups were involved in defining system access, and 40% characterized ownership of system access as “messy and all over the place.” The good news: more than 80% believe they share responsibility for access issues.

The acknowledgment of shared responsibility is a starting point to improve a situation that is often a jumbled mess. Decisions about access typically involve different teams with competing interests and processes, and each holds different pieces of the puzzle. HR may ensure an employee’s name and title are correct, but IT may be in charge of actually ensuring that the employee has the right system access. Turf battles between business unit managers who feel employees need access to certain data that the security team or other managers believe should be outside their purview are not uncommon.

There is a path to improving this situation, and it starts with facilitating collaboration between different stakeholders. Centralizing identity management within one group is not practical and attempts at this fail for reasons ranging from the technological to office politics. What mature organizations need is to establish an Access Governance Committee. This committee should have executive sponsorship to ensure it delivers on its goals and does not lose any of the initial energy. Its membership should be extended to a broad selection of representatives from different teams and departments, including HR, IT Security, DevOps teams, Legal, and the team responsible for internal corporate communications.

Any changes to policies can be shared via the corporate communications team, which should be leveraged to make the ‘why’ clear to those involved in the access governance processes. They should be engaged early and often. Building cooperation between different parts of the business requires building bridges between different stakeholders in the organization. If identity management is to ever become less “messy,” there must be a clear delineation of responsibilities and an understanding of the goals of any specific IAM initiative. It is best to think of identity management as a team game. To win, enterprise leaders need to focus on successfully facilitating collaboration and uniting a diverse set of stakeholders around a common agenda.

Imagine a new initiative pulling together individuals from multiple teams across your organization: some from marketing, some from engineering, and others from legal. Decisions have to be made about the access levels of each group to ensure security and prevent any users from having excessive access. Where do you begin?

At a high level, the Access Governance Committee has multiple tasks to tackle, such as:

  • Incorporate a broad-spectrum group of stakeholders who seek to have a voice in Access Governance processes and procedures
  • Provides oversight to the Access Review Committee, which is accountable for periodic access reviews and providing metrics data to the Access Governance Committee
  • Defining access policies, how those relate to roles and controls for changing those policies
  • Defining metrics to measure performance against specific identity-related goals

There has been a significant shift in who has accountability for identity in the enterprise. An IDSA survey that will be released in June indicates that the majority of CISOs have some responsibility for identity—strategy and/or execution. An executive leader responsible for identity should chair this committee (increasingly so, the CISO), but decisions about access should be made by those closest to the data and business processes being impacted. In practice, this may mean giving specific Line-of-Business teams the final say about who gets access while ensuring that those teams follow the organization’s broader security guidelines regarding the review, approval, attestation, and revocation of access rights.

The rights that are granted will have to be regularly attested and certified, which requires establishing an access certification framework. This framework should be broken up into tiers based on risk. For example, at Level one—end user attestation and certification—the direct manager of the identity’s owner must attest to the access detected. This layer does not necessarily require a technical review. The next tier, which would focus on management personnel, should include a technical review by management-level admins such as IT directors due to the elevated risk. The final two tiers, for administrative personnel and executives, respectively, should also undergo technical reviews, but from compliance and audit personnel instead of their peers like those in tier 2. The Access Governance Committee should seek to understand the business risk posed by each tier of access and determine the appropriate organizational level of approval for each tier.

The job of the Access Governance Committee isn’t to review these individual access requests (that’s for the Access Review Committee to do) but rather to establish and measure the metrics on which success is judged. For instance, if the Access Governance Committee decides that “time to fulfill access requests” is a key metric, then it should establish a specific objective (“90% completed in 24 hours”) and then direct the Access Review Committee or Identity Operations team to provide those metrics and measure improvements over time. Focusing on measuring metrics that measure a significant improvement in security or reduction in user pain will bring credibility and value to the organization’s identity management program.

At its core, the endgame of the committee and any identity and access management (IAM) project is to solve a business problem. Perhaps the goal is to make DevOps more agile or make the off-boarding and deprovisioning process more efficient. No matter the scenario, the committee must strive to understand the IAM needs and challenges of their users and build their approach to serve those needs. It is also crucial to establish the correct metrics to measure success and ensure the processes agreed upon are being properly implemented. For example, planting easter eggs to see if access requests are being rubber-stamped will enable the organization to ensure its policies are followed. This will allow the committee to track progress.

Strong access governance will put the organization on the path to stronger security. Getting there, however, will take executive buy-in, communication, and above all else, teamwork.

About the Author: The Beyond Best Practices Technical Working Group subcommittee was formed in July 2020. The team, led by Paul Lanzi, includes Aubrey TurnerStephen Bahia, Christopher HillsMorey HaberJesper JohansenJerry Chapman and Dan Dagnall.



Let's work together to help everyone become more secure.