Access Governance: Perceptions And Misconceptions

By | April 08, 2013

Posted in: Network Security Trends

We touched on Access Governance (AG) last year, but have found that misconceptions about the space still fuel some of the discussion.

Access Governance is basically the overarching system that governs who has access to what in a given organization, or as we wrote last year, it approaches identity management from a “business perspective.”

Security Bistro had the opportunity to speak with Geoff Webb, Director of Solution Strategy at NetIQ, an IT enterprise vendor, who said that many companies are still unaware of how vulnerable they are until they’ve been flagged in an audit, or worse, been the victim of a breach.

“While IT pros have heard of Access Governance, some believe that identity management systems can handle access requests. The truth is that Identity and Access Governance point solutions provide only limited provisioning and automation that may not support the dynamic and static access to important types of applications (such as mobile, SaaS, and cloud applications) for multiple users,” said Webb.

A 2011 study by industry analyst firm, IDC, revealed that license and maintenance revenues accounted for more than $4 billion in identity access management (IAM) alone, which is why Webb believes many IT Directors are skeptical that another solution — namely AG — would help them achieve their goals.

So who benefits when proper Access Governance tools are implemented?

Webb said that all organizations can use these tools, but highly regulated industries such as banking and healthcare, where you need be able to carefully monitor who has access to what and how, to establish an audit trail are generally the most in need of AG tools.

“Ultimately, Access Governance as a discipline attempts to close the control gaps with two aims – first, to enable the business to meet its audit and compliance needs by reporting on who has access to sensitive or valuable resources and second, to prevent access to critical resources. Failure to address these requirements will increase the cost and difficulty of meeting the complex regulatory and industry mandates facing organizations,” said Webb. “It also significantly increases the risk that a breach will occur, especially in the all-too-common situation of an employee changing roles, or even leaving the business yet retaining access rights to data.”

Webb cited the colossal collapse of Britain’s Barings Bank as one of the most infamous failures of managing internal controls. Back in 1995, Barings was brought down by Nick Leeson, a rogue trader who — had Access Governance controls been in place — might have been caught before he left a $1.4 billion hole in their balance sheet.

Webb said that AG is a natural fit for the enterprise, bringing together an operational and strategic view by serving as the integration layer across multiple provisioning tools.

“While some identity management systems can handle access requests, most cannot allow users to perform access requests, which over-burdens service desks. Users need to feel empowered without compromising security or violating access rules. Having a flexible, scalable Access Governance solution can alleviate the burden for both IT and business,” he added.

But there remain misconceptions. Many organizations believe they only need one point system to serve their needs. Not so, said Webb, who maintains the reality is that broad-based Access Governance solutions are more effective at centralizing and automating information on the state of access within their organization.

“Another common misconception is that all the work for Access Governance is done upfront,” he said. “The reality is that to achieve value quickly, organizations need to match project goals and use an iterative approach versus a ‘big bang’. This continual monitoring of compliance regulations, policies and processes minimizes the risk exposure.”

As technologies evolve, Webb believes that Access Governance, vendors currently include Aveska, SailPoint and Courion, as well as major IT players IBM and Oracle, will also expand.

“[T]here is still incredible value in the foundational capability to manage identity across the enterprise. As that capability extends to cloud services, there is significant value in having both sets of tools – Access Governance and Identity Management – available to meet the challenge of a highly complex, mobile business IT infrastructure,” he added.

You May Also Be Interested In: