Identity Governance with a Purpose – Deciding and Documenting Why Access is Granted

So not too long ago, I was actually talking with a friend of mine, and I mentioned that I was coming out to Berlin and that I was going to be attending the European identity and and cloud conference. And he asked me, well, what are you doing there? And it's like, well, I'm presenting on identity governance. And I was kind of surprised by his reaction because he said, why are you talking about such a boring topic? And I, I thought for a second, it's like, well, you know, that made me kind of take a step back and, and actually consider, you know, really, you know, some things in life really can be boring, you know, so, so if you're looking at things that are boring, well, you know, there's a lot of examples. Like for instance, you know, when you're placed, you know, on hold waiting for help, you know, from the help center, you can be waiting for quite a long time. Also, if you get stuck in traffic, like for instance, if you live in the Bay Area, you can be, you know, quite bored, you know, waiting for, for you to get to wherever you're getting trying to get to. And often I think it can actually be much longer than 30 minutes, but it depends on where you live, right? But even my presentations can be boring.
But I think I had to concede a little bit that what he was really referring to was that really bad governance can be boring.
So when you're dealing with bad governance, you're usually in a situation where you're dealing with overwhelming access reviews, you're, you're just having too much to, to process. And so you don't really have an understanding of what's going on. And because you don't have that understanding, you are often put in a position where if you're making decisions, maybe you're making a, an approval decision without really fully having the full context. And so you're just going along and rubber stamping just because you don't wanna be that person that says no, and, and don't wanna have to deal with the outcomes of that. So the, these things tend to be, you know, problematic, right? But governance is really a necessary part of good cybersecurity. So we, we need to really think about how we're applying governance and, and try to do this more effectively. And so, for example, when you, when you really think about cybersecurity in general, you're really looking at this as an overall process.
And this, you know, is applicable across the board, depending on, you know, all sorts of different kinds of threats that you might be dealing with. You know, everything from network attacks to unsecured email, to unmanaged endpoints, to compromised credentials, to application vulnerabilities, supply chain attacks, even unknown threats. So all of these different types of vectors of attack can be dealt with, and you can build up resilience to by following a good cybersecurity process. And I would simplify that process by saying that it's not just about security, but it's about understanding risk and applying, you know, good governance practices. So that means that you're, you're taking the time to make good decisions, you know, taking an account that the understanding of that risk and applying that to your decision making. And while you're doing that, then you can start to implement much more effective controls as part of your security posture.
So when we talk about identity governance, it's, it's within that context. So identity governance is really the, you know, taking that further and, and narrowing down specifically on the insight and control around the, the access entitlements. Being able to collect all this information from these different sources, being able to put them in the, in the right form, so that way it's easy to make decisions and putting it in front of the right people to make those decisions. So that way it's not just the IT team that's, that's going ahead and, you know, applying, you know, whatever, you know, the last setting that they had from the, the previous, you know, set of accounts that they were dealing with and, and just cloning entitlements and, and, and roles along the way, but actually putting it in front of the people that are really accountable for the proper access to be granted.
And so by taking this information, going through down processing, through this funnel, providing the right analysis and getting the right decision makers at the right time, you can actually have better insight into access rights. You can improve the engagement and ownership by the organization around, you know, taking accountability for appropriate access. And along the lines also provide these kinds of process optimizations, you know, more effective roles, better enforcement and separation of duties, easier access reviews, you know, easier access requests and approvals and so forth. So this really brings us to, you know, a little bit more detail in what this process really looks like. So for, from an perspective of identity governance, you're really involving lots of different actors in the process. This is kind of the glue that brings the different parts of the organization together to help really provide the right level of, you know, appropriateness around these decisions.
So the application owners, the sec, the folks in security operations, the business managers as well as the internal and external auditors, need to be part of this process. And you can take each step along the way as you collect this information from the different information sources, you can then further curate and refine, you know, the, the information about these entitlements, being able to provide it in a much more business context for somebody in the, the business side that might not be as familiar with the details of a particular application or, or how things are structured within a given, you know, system to be able to make a clear, understandable and executable decision to carry that forward when then once they make that decision, they can now, you know, record that, you know, store that for future use so that way we can continue to enforce that decision as well as a test that this is actually appropriate. And, and so you have a record that, that, you know, this decision has been made, which then facilitates the whole point of being able to verify with the auditors, right? And then from there, taking that and using that as a basis for final fulfillment to allow for the enforcement of those decisions.
But, you know, as part of this, I mean, I, I kind of get his point, you know, I mean this, this, this is a process. Everybody has to do it, it, it feels like, you know, you, you're, you're being asked to go do your homework, right? But it, it's important. And, but governance I don't think necessarily has to be boring. I think that in fact, you know, good governance can even be sexy.
For example, you know, if you look at this, you know, good identity governance shouldn't have gaps. And a lot of times when we're asked to do, you know, let's say an access certification campaign, we'll, we'll start out, you know, and have a periodic review established, you know, throughout the year, right? We'll go through and at each stage we're doing, you know, our access certification, we're reviewing all this stuff, we're attesting to it, and we think we're in good shape. But often between reviews, we actually don't have a whole lot of insight to what's going on. Okay? And so you're blind through those stages. And so actually kind of interesting things could happen while you're not watching. So if somebody actually knows the pattern by which you're applying this review to, they might come in between review periods and actually, you know, go ahead and add access that's not getting caught, and then removing access before the next review. So you don't see that that's ever happened. It looks like it's clean, but Bob came in and had access in between, right? And that could be a repeating pattern, and you might not even be aware of it. Okay? So, so this shouldn't have gaps, but, so the, the right way to, to look at this would be is how can we do this in a more adaptive way? You know, what can we do to do identity governance beyond a point of time, but in a continuous fashion?
So if we look at this from a continuous perspective, we might set up an initial baseline certification so that way we get a, a good level set as we start in. But now, instead of doing a periodic access review, I can watch for when things change. So making it, having an event driven model where, you know, a new change occurs that is outside of my normal policy set, so it's not something I can handle automatically because of that, I can trigger a micro certification, you know, involve the right decision maker to make a, a judgment call on is this appropriate? Is this the right thing I should be doing with Bob? And if, if he decides no, I can immediately revoke that access. So this, this handles out of band, you know, actions that might be taking place, and they, they can happen all the time, but instead of waiting for the big long review where you have this big stack of things that you have to, to go through, you, you're only focusing on the, the, you know, the time and point in time of when this action occurred.
And then another time later on, let's say, you know, Tom's access gets added. And in this case, you know, so we go through the same thing and it triggers a, a micro certification. We involve the right decision maker. In this case, the decision maker decides that, no, this is actually good, you know, this, this is, you know, you know, Tom really needs this, and it might even be a further refinement. So we'll not only, you know, approve it, we'll also certify that we'll update our attestation and we're going to record that so that way the next time a pattern like this occurs, I can now do this more automatically. Okay? So it's a way of, of keeping the, the decision making going in a fluid way where you're not overwhelming the decision maker with too much information such that, that they end up just sort of punting and just saying, okay, I'm, I'm not going to reject anything.
So good governance shouldn't, you know, make decisions difficult, right? And, and if we're overwhelming the decision maker, this can lead to bad outcomes, you know? So when, when you look at it from this perspective, you have lots of different types of bad outcomes that could happen. You have poor visibility into the actual entitlement state. You could also, you know, fail to catch risky entitlement assignments. You just miss them, you know, attestations that as soon as you finished your, your access review cycle, they're no longer valid because things are changing and you're not catching those changes. And then also is that if you're just going through this cycle of just going and, and doing these, these periodic access reviews and not really making it better, you're not improving your security posture over time. So, so your, your last attestation set is, is no better than the earlier attestation set, if you will, and your overall security is actually, you know, the same or maybe even worse.
So part of this is to, to improve this, is to really provide this kind of dynamic decision support, you know, what can we do to, to really help with this, you know, and this, you know, starting to, to take advantage of different techniques, like for instance, leveraging unsupervised machine learning to help provide better context for making decisions. So by watching what's going on, by looking at the behaviors and, and understanding the context better, you can actually start to generate better role recommendations, you know, based off of these characteristics. And so you could have, you know, much more assistance to the decision maker. So the decision maker isn't getting overwhelmed, they're not having to make up, you know, or make all these decisions, you know, in a vacuum, you can actually guide them and steer them to, to help make them, you know, be more effective in their decision making.
Also through this, you know, un having these, these techniques with unsupervised machine learning, being part of the, looking at the, the information as it's coming through, you can start doing risk-based, you know, policy recommendations as well. So you can look to see, well, you know, with this, what is the actual risk level that I, I would be dealing with by granting this access, for example, you know, I want to capture that this is, you know, appropriate, but you know, I, is this based off of this person's behavior, be based off of other factors. You know, maybe that's not the right decision. Maybe I need to rethink my policy around this, or maybe I'm granting too much. So, so being able to identify the outliers and adjust entitlement policies, you can reduce unnecessary exposure. And also by highlighting the highest risk, you know, identities, you can also characterize, you know, what kind of potential threats you might end up having to deal with. So, so again, providing that greater identity context for the decision maker to make good decisions.
And then really what this comes down to, I think that that's a further enhancement of this process is really talking about purpose. You know, we've, we've gone for a long time with, with identity governance, where we're focusing on deciding what is appropriate, you know, what, what appropriate access should look like. But we also need to capture the rationale as to why it's appropriate. Okay? And this becomes very, very critical, especially when we start talking about, you know, adhering to privacy laws and, and also, you know, to, to basically enhance our ability to enforce, you know, access around these, these privacy constraints. So a lot of times organizations are, are always looking for new ways to monetize and share the data that they've, they've collected. And so, so having that as, as part of their, you know, mo that's, that's what they want to do, but they need to make sure that they're doing this in a, in an effective way and in a secure way. And so making sure that having the, this data handled responsibly and in accord with privacy regulations is paramount, which also means that, you know, only the, the information that's collected should, should be shared only if it has a legitimate purpose to do so. So, so if, if somebody's trying to access data for a, a purpose that's not legitimate, or hasn't been approved, or hasn't been given consent, they shouldn't be able to access that. And you should be able to enforce the, those constraints
And the reasons have to be rec recorded, reviewed, and enforced.
So, you know, my supposition here is that, you know, the identity governance process is an ideal place to actually inject purpose. So as part of this process, while we're going through and making these decisions, we're collecting this information, we're, we're curating it, we're analyzing it, we're refining it, we can also now start to capture, you know, what are the valid reasons for somebody to have this access? You know, what are the purpose statements that we can work with as part of, you know, understanding the, the reasons why that this access is needed, and then presenting that in an effective way to the decision maker. So the decision maker can now make very clear, you know, judgements based off of not only what they think appropriate access is, but also documenting why that is the case and being very clear about it. So, so being able to review those based off of purpose and then assigning the right purpose to those entitlements or to the, when those entitlements are granted, becomes a very, you know, easy way to inject this into the process. And then now once we capture that, we can start to use that context, that additional context to drive additional enforcement. So when I come and, and have, let's say, an entitlement that maybe a, a particular individual is granted, if a purpose wasn't assigned, that might be a modifier where in certain circumstances I w I will still deny access because there wasn't a legitimate purpose, all depending on, again, the sensitivity and the, the, the nature of the data that you were working with.
So once you, once you have this now documenting that purpose, you know, provides clear reasons to why this sensit, the access to the sensitive data is required. And so with this, now when you have a, a data subject access request, a desar, it's very easy to provide that explanation as to why this data was collected and how it's being used. Also, you know, it gives us, like I said earlier, the, the, the whole process becomes an ideal way to get this in front of the right decision maker. You know, we have to involve those, you know, decision makers as part of this process to ensure that not only is it attested that this is in fact, you know, appropriate, but I also can tell you why. And lastly, you know, the enforcement of this, you know, really falls in line with all of the, the philosophy that we've been talking about around zero trust is that you can now have better ways to enforce that need to know philosophy and only provide that access when, when it's absolutely necessary. So in summary, you know, by leveraging real time events, better decision making through machine learning and recording and reviewing and enforcing purpose, you know, I think that actually makes a case that good governance can be sexy. Thank you.
Thank you. There are, at least, there are at least four questions. Okay. One remark, the remark, I will just mention it that identity governments is very important, but the purpose is the thing we're talking about. But if you have no good data classification, what is your private data? What is your riskiest treasure that you need to protect without proper data classification processes? It's very difficult to define the purpose and protect it. That's a remark. Yeah.
Well, I, and
Another question,
Can I, can I react? Go ahead. That remark is that I, I completely agree. I mean, part of this is understanding the, the nature of the information source that, that you're working with. And as I showed in the, the, the process of risk, you know, governance and security classification is, is one of the critical steps of that process. So absolutely.
And, and I think that's could be a really difficult process in itself. And then the other one is where is this question? The way identity governance is presented, it seems to be a quite manual task since questions about identity governance are changing a lot. How do you answer them on scale?
Okay, well first off, it's, it's what I was representing. Were the different stages that need to go through. Not necessarily that they can't be automated, there are different actors that need to, to participate in the process. It's not something that can be done with without that kind of context. So there are roles that different players will, will, you know, play within that process. But much of this can be automated. And actually, one of the things that I was trying to illustrate as well, with the event driven nature of this is to try to, you know, instead of doing this in such a manual way, you can actually make this much more streamlined and, and more effective.
Okay. And then the last one, what kind of entitlement catalogs was you talking about? It is, is it a tool provided by OpenText?
So, so yes. It's, so the entitlement catalog, first off, I was, I was talking about this more in generic terms. Almost every identity governance solution out there maintains some form of, you know, entitlement catalog. So it's sort of an a, a generic way of representing this. But yes, through, through our identity governance products, we, we maintain that, that context and that information, and we use that as the basis for how a lot of this process gets, you know, operated on.
And where will it end? Will we look at a holistic database analytics when also the fraud detector and the other seam software data will be gathered into one thinking decision engine? Is that on your roadmap or
So, so we have many of these parts, the, it's not necessarily a one database to rule them all kind of model, but, but there are relationships between all of this information and, and being able to have these, these different capabilities work together in concert provides the full picture and be, and allows for this kind of, you know, you know, coordinated activity across many different segments within the security market.
Okay. Well thank you.
Thank you so much.