Access governance has become a trending topic for companies in the last decade as threats from inside the organization have become nearly as prevalent as the threats from outside hackers. Imagine if a rouge salesperson was able to download your entire, global client list, products they own, decision makers contact information and then leave for a competitor? The effects could be devastating for your business.
Access governance can be defined as simply: Ensuring that your employees have the correct rights to systems and data needed to perform their respective jobs at the present moment – nothing more and nothing less.
Historically, access governance was employed only by large corporations that required a high level of security over their networks, but quite recently, access governance has begun to make its way into the mainstream of computing as the costs and complexities of implementing these solutions have come down over time. This, coupled with regulations, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), has made organizations of every size and in every vertical to seriously take a look at their network and data management practices.
To get started, an organization needs to take an in-depth look at their processes and procedures today and evaluate the following:
- How are we creating, managing and disabling employee user accounts in the network?
- How do we determine what rights an individual has to applications and data?
- Are those rights appropriate for every type of user that we employ?
- How do we manage accounts and access for non-employees, such as temps and contractors?
- Do we have an audit process in place to ensure that once access rights are correct, they remain that way?
After analyzing the process, the next step is to determine the accuracy of the processes and procedures, make corrections where necessary, and determine what can be automated, what needs approval and oversight and finally evaluate vendors for a solution to meet the requirements.
Most organizations prefer to automate as much as is feasible. By utilizing an authoritative source, such as the HR system, it is possible to streamline the account creation process to a large degree. User accounts can be created in the network, email and any relevant downstream system when a new employee is detected in the HR system. Access rights to specific data elements can also be set based on the title, department and location of the individual; with this information also coming from the HR system. Conversely, when access governance detects an employee has been terminated in the HR system, all access rights can be immediately revoked, emails forwarded to a manager and home directories made available for review.
Web portals can be implemented allowing end users to request access to additional resources.
To streamline the changes, the requests can be reviewed by one or more appropriate levels of management via the same portal and, once approval is granted, the change is automatically implemented in the appropriate systems. These changes can be made permanent or set up for a pre-defined timeframe, such as an employee covering for another on leave or a short term special project.
For contractors or temporary employees, the portal mentioned can also be utilized to streamline the onboarding and off boarding process. Hiring managers can complete an online form with the requisite information, such as name, position, department and contract length. The form is then processed via a workflow where any necessary approvals are provided and then automatically processed into the network and connected systems. Alerts can also be implemented to notify managers of an impending contract renewal date or contractor departure.
After processes and procedures have been implemented and access rights to applications and data have been established based on roles and rules, audit processes need to be implemented to ensure they stay that way. Any unmanaged changes to the network should be detected and corrected with expediency. This changes the annual compliance audit to one that runs on a continuous basis, ensuring the highest level of conformity at every point in time.
In summary, the benefits of access governance are a more secure, compliant application and data environment and, thus, a significant reduction in risk from users looking to create havoc.