Six Best Practices for Improving Identity and Access Governance

Access control and identity governance policies are two key pillars of enterprise security, providing organizations with approaches to securing important technology assets. Unfortunately, it’s not always easy to properly secure identity and access control, due to organizational complexity. Further compounding the challenge is that cyber-attackers are taking direct aim at access control and identity systems in privilege escalation attacks that can often lead to data breaches. There are multiple things that organizations can do to improve and harden identity and access governance policies. This eWEEK slide show, using information from James Ducharme, vice president of identity products at RSA, shares six best practices to improve identity and access governance.

Privileged access is commonly thought of as just root or administrator accounts, but there are other definitions beyond infrastructure access—admin access to applications, accounts used to transfer money or data, and access to sensitive information such as patient records or personal information. Defining privileged access in technical and business terms allows organizations to understand and classify the access that the accounts and identities hold. Providing visibility of where privileged access is and who has it enables organizations to monitor if it changes or is used.

With understanding and context of privileged access, it is much easier to monitor it and understand when it is being used. Identity context enables an analyst to understand the relationship of an identity’s normal accounts to any privileged access that they may also have.  Thus, accounts that could be used for escalation can be monitored or deactivated. An analyst can also prioritize threats that are detected involving privileged access. 

Not all organizations that have deployed privileged identity management technology have put identity governance or life cycle processes around them. This means that identities retain the use of privileged access accumulated over time, so there are more accounts that can be compromised for escalation or can be used if the person becomes disgruntled and decides to act maliciously.

When using privileged access either directly or through a privileged access management (PAM) technology, typically there is still a need for a user name and password. Whenever a person is about to authenticate with a privileged account, there is a need for at least a second factor to assure that the user is who he says he is. 

Companies shouldn’t start an identity project until they have an understanding of what they want to do, the scope of applications they want to cover and the metrics they want to use to measure success.

Provisioning-focused approaches look to take bad data, maybe clean it up a bit and then develop lots of code to make the data work in a process. However, the data and the processes change and so the code needs to change, resulting in a vicious cycle of pain and expense. Identity governance takes the approach of first gaining visibility of the data, who has what access, how to they get it, then using that to clean and remediate the access to improve control and reduce risk while also getting it ready for provisioning. Automating the provision of access is then a much simpler and effective process that can be easily adapted to changes in the business.
SUMMARY: