IDSO-001: User accounts and entitlements are granted through governance-driven provisioning

Description: Creation of user accounts and assignment of corresponding entitlements are based on the results of a governance process. The governance process should include appropriate business justification approvals and risk mitigation, as well as constraints on access determined by business requirements. Governance process is tracked for auditing purposes.

Benefit: Provides evidence of control over who has access to what resources that are required to meet security controls and compliance requirements, for example PCI, HIPAA, SOX, etc.

Watch the deep dive webinar to learn more about this security outcome.

Implementation Approaches

Security Frameworks

NIST Cybersecurity Framework 1.1

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
  • PR.AC-3: Remote access is managed

NIST SP 800-207; Zero Trust Architecture

  • 3.1: The approaches include enhanced identity governance–driven, logical microsegmentation, and network-based segmentation.
  • 3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation.
TitleIGA Initiates Access Provisioning Workflow
Technology ComponentsIdentity Governance and AdministrationAccess Management
DescriptionUser initiates a request for access from role and entitlement catalog. A workflow is initiated and is routed to appropriate approver(s) based on defined policy. Business case is reviewed, and approval is granted. Request and entitlements granted are logged for audit purposes. User access is provisioned to access management tool. User gets access per the policy and constraints defined.
Pre-requisitesRole and entitlement catalog has been built and populated.Approval process is defined for each role and entitlement.Attributes and policies are defined providing conditions and constraints for access.Service accounts for authentication to access management tool with rights to assign access.
Supporting Member CompaniesFischer IdentityForgeRockOktaOmadaRemediantPing IdentitySailPointSaviyntSecZetta
TitleITSM Initiates Access Provisioning Workflow
Technology ComponentsITSM (IT Service Management)Identity Governance and Administration (IGA)Access Management (AM)
DescriptionUser initiates a service request for access from ITSM service catalog. A workflow is initiated and is routed to appropriate approver(s) based on defined policy in ITSM tool. Business case is reviewed, and approval is granted. Request and entitlements granted are logged for audit purposes. ITMS hands off to IGA to provision user access to access management tool. User gets access per the policy and constraints defined.
Pre-requisitesITSM service catalog has been built and populated.Approval process is defined for each role and entitlement.Attributes and policies are defined providing conditions and constraints for user access.Service accounts for authentication to access management tool with rights to assign access.
Supporting Member CompaniesFischer IdentityForgeRock, OktaOmadaRemediantPing IdentitySailPointSaviyntSecZetta
Background

READY TO MAKE AN IMPACT?

Let's work together to help everyone become more secure.