1 Introduction / Executive Summary
Identity Governance and Administration (IGA) is essential to business as a strategic approach to ensure overall IT security and regulatory compliance. Identity Governance and Administration refers to the increasingly integrated Identity Lifecycle Management and Access Governance markets. Policy-based provisioning allows organizations to enforce consistent entitlements across multiple applications for multiple business units.
Traditionally, it has been challenging in IGA to handle static entitlements. Static entitlements are the root cause of the need for roles and recertifications and for failing the principle of least privilege. Until now, the process for policy-based access in IGA involved building a role model, onboarding a user, and then granting initial entitlements. Many organizations provide a basic set of initial entitlements automatically based on policies. The challenges around granting initial entitlements are that role models and associated data needs to be accurate. Moreover, the provisioning is not real-time, and the static entitlements become outdated. The larger the organization, the more time consuming it is to do access reviews.
A consistent set of policies across the entire environment is increasingly important for organizations that are expecting rapid growth in terms of identities. This approach not only leverages the benefits of the policies, such as automation, but also supports a more agile development environment, an important capability that will reduce 'time to value' and heighten competitiveness.
Providing access to multiple applications is challenging as the nature of applications varies based on their functionality and compliance. The ideal approach is to bundle the entitlements based on roles. Entitlements can be bundled based on roles by looking into groups of users who have access to similar applications, thus assigning entitlements based on these roles. Role mining is an approach that is frequently used, but it in some way conserves over-entitlements from the past by looking at what had been done using a bottom-up structure instead of freshly defining the minimal entitlements top-down. Thus, role mining may help and complement, but it must be used carefully. Another challenge role mining creates is identifying the specifications of a role: How to decide what should be in the role and who should decide that? This is where role mining is supported, as it analyzes the logs and history of users with similar roles. Role mining helps to identify which roles access which applications. Hence policies are important to address these challenges. Policies can be made further robust by following a strong life cycle management model.
In policy life cycle management, policies are created, reviewed, and approved. Organizations need to define the roles which will perform these tasks when applying policy-based provisioning. Another must have is a good policy life cycle management definition. Policies are easier to review if the life cycle management is strong. Strong policies help to identify the right attributes and also help to review if the policies applied are accurate. For example, if there is a mover, the user is entitled to receive additional birthright entitlements based on the policies in place, which refer to the definition of the new role. With the right attributes, roles can be assigned.
Policy lifecycle management is essential for creating a structured and defined approach to creating policies. This also involves pre-approval for new changes and transfer of ownership. Policies for birthright provisioning effectively are pre-approved assignments based on attributes. Their lifecycle must be well-managed due to their powerful impact. Lifecycle Management also affects identity lifecycle management because the attributes used for policy decisions must be accurate in order to avoid wrong decisions. Policies then need reviews to ensure that they are consistent. However, due to the lower number and the simple structure of policies the review of policies is way simpler than for the huge amount of frequently nested roles.
Modern IGA solutions are addressing these challenges by controlling all the granting of initial entitlements based on policies. This has allowed it to make the process leaner and easier, as you don’t need to spend time building role models. Instead, only a policy model needs to be created. Unlike traditional IGA, this process involves onboarding the user and then adding attributes to define the user. Policies need to be defined which will extract data from the users’ attributes and provide authorization. However, the policies need to be regularly reviewed, which is much easier than reviewing all the static entitlements. The policy-based approach also supports Just-in-Time (JIT) access, since there are no outdated static entitlements anymore, as policies control all the authorization.