Access Governance is one of the capabilities which is essential for organizations to comply with regulations – think about “least privilege” – and to be able answering the “who has access to what?” question.
However, Access Governance today commonly is limited to analyzing the static entitlements of users at the level of business roles and IT roles across various applications that run on premises. While there are specific tools for certain platforms such as SAP and some administrator-centric offerings for managing access to file servers, there is still frequently a lack of a comprehensive Access Governance approach. Such approaches must work across all types of systems and data, regardless of where they reside, and cover all levels of details, from the cross-system IAM perspective and the roles down to the system level.
Over the past years, we have observed a couple of solutions for Data Access Governance or, as KuppingerCole had named it, Entitlement & Access Governance – solutions, that integrate with Identity and Access Governance but provide more insight at the system level. Such solutions should be able to not only technically manage entitlements for unstructured data at the level of storage such as file servers, but provide additional functionality. Key capabilities we expect to see in that type of solutions include
- Integrated Access Governance capabilities or integration to COTS Access Governance solutions
- Support for request and approval workflows
- Role-based access control and specific approaches to manage access e.g. to file server shares
- Management of data ownership
- Integration into User Management and Identity Provisioning
- Audit and Analytics capabilities, e.g. identifying high risk/toxic combinations of entitlements, including the ability to remediate entitlements in case of such combinations or suspicious behavior
- Support for identifying sensitive data that is subject to compliance regulations such as GDPR, PKI, etc.
- Support for recertification of entitlements at that level for responsible persons, e.g. business owners
Furthermore, such solutions must support several repositories for unstructured data, in particular file storage both on premises and in the cloud. In combination with sophisticated Access Governance capabilities that e.g. provide low-level insight into SAP, down to authorization objects and transactions, that allows for implementing a comprehensive Access Governance approach across a variety of systems.
Ideally, the solutions are not only focused on static analysis but also support real-time activity monitoring and alerting.
The advantage of tightly integrated approaches covering both traditional Access Governance and Data Access Governance is the ability to work with a consistent set of controls and provide a consistent user interface to business users. Business users expect such consistent user experience when defining entitlements, managing access requests, and reviewing entitlements.
SailPoint is one of the only vendors that delivers an integrated approach for both Access Governance and Data Access Governance, based on their IdentityIQ offering for Access Governance and Identity Provisioning and their Data Access Governance offering SecurityIQ. The latter is based on the technology SailPoint acquired via the acquisition of Whitebox Security. In the current release, both offerings are tightly integrated, with clearly defined capabilities for the areas of both Access Governance and Data Access Governance.