Access Governance concerns the processes and technologies for the management of access controls in IT systems. Its objectives are to ensure legitimate access to resources and data while managing the risks of illegitimate access. These risks include the theft of information, fraud through alteration of systems or data, and the subversion of IT systems (through ransomware for example). The large number of reported incidents over the last twelve months shows the need to address these issues.
Access Governance is increasingly important to manage the cyber-risks related to organizational IT systems. These risks extend beyond misuse and mistakes by insiders with legitimate access, to external cyber-attacks that often use apparently legitimate access credentials to bypass the many layers of network defences are now generally implemented by organizations. Often, the first sign that a cyber-attack is in progress is abnormal activity by a legitimate user’s account.
In addition to managing cyber risks, Access Governance is also relevant to regulatory compliance. For many industries, there are regulations that define how certain kinds of data must be acquired, stored, used and protected. These regulations range from those relating to the financial reporting of publicly listed companies, through pharmaceuticals and healthcare to manufacturing and public utilities. On top of this, the increasing number of privacy laws worldwide require stringent controls over how Personally Identifiable Information (PII) is collected and used. This brings not only CRM systems within the scope of Access Governance but also potentially Customer Identity and Access Management (CIAM) used by the organizations customers. Access Governance not only ensures compliance but also provides the evidence needed to prove compliance.
Access Governance uses a range of tools and techniques that covers several areas. KuppingerCole Advisory Note 72559, provides some Key Risk Indicators (KRI) to help organization manage and improve their approach to Access Governance. Access Governance covers:
- Classification of applications and information
- Identity Lifecyle Management
- Access Management
- Identity and Access Monitoring
Organizations should implement access governance processes using appropriate tools to cover these areas.