IBM Security Identity Governance
Imagine a situation in which you have an employee that worked in IT support; he then moved on the system engineer, only to end up in the sales and marketing department. The question is: do you know what access rights that person has to have according to the applicable policies, and what permissions that person actually has on your IT system?
What is an Identity Governance system?
While “classical” systems for managing identities and access mainly deal with managing the life cycle of identities and access rights on a technical level, Identity Governance systems enable organizations definition of, reviewing and reporting (ex. for auditing purposes) on policies for identity and access management as well as allowing mapping of system functions for identity and access management to requests set by standards which the organization must conform to. Following confirmation of conformity, the chain of events that unfolds frequently resembles the picture below. The most frequent result is painstaking manual data collection and multiple meetings in which what permissions a certain person has will be “discovered”. Aside from that, it is really hard to uncover dangerous permission combinations that an employee might have from the very start (ex. one person being able to create and approve proposals), as is finding out when who was authorized for what and whether they still need those permissions.
IBM Security Identity Governance
Entering the scene is IBM Security Identity Governance (ISIG), a new IBM solution for governance of identities and access. IBM Security Identity Governance’s goal is to help organizations efficiently manage identities and application access and bridge the gap between compliance, business activities and IT activities. The result is risk reduction in deceitful activities, role conflicts and human error in conducting business processes. ISIG looks at identity and access management from a business perspective, an approach that eases auditing and certification of user access rights. Also, it is possible to get detailed analysis of roles and right and their compliance with business processes and rules. This is possible due to the way ISIG manages user permissions – all permissions that users have on different systems are stored in ISIG’s central repository. Based on that data, it is possible to identify roles that are crucial to business, the risks connected with them and the connection between permissions granted to an individual and his business roles. This information is presented in a clear format in the interface in which it is simpler to assess the risks deriving from user access rights, just like risks that derive from rules regarding the separation of duties (SoD). Included are role-mining functionalities with which you can optimize business roles as business processes change and improve.
ISIG regards SoD Controls from the business world (and the auditor’s) perspective and bases itself on predefined activities that belong to business processes, and not, like how it frequently used to be, from the perspective of individual permissions in applications that are more of a technical nature. Special emphasis is placed on the ERP system – primarily SAP, for which exists support for managing roles with predefined rules which extend to the SAP transaction and object authorization level. Conflicts can be easily uncovered and described in a business context employing access based on modeling activities. Assessing risks can be a part of workflow for access requesting, where specific conflicts can be escalated or approved, where attention is given to the area with the largest risk. Access rights are very frequently only temporary (for example, for the duration of the project) and it is necessary to periodically check and recertify them so long as they are still necessary. ISIG offers functionalities for organizing recertifying campaigns which will automatically initiate the revision process and manage workflow for coordination of approving access rights and recertification. On one overview screen managers can approve or repeal access rights, check for Separation of Duties violations and track recertification campaigns in the entire organization. ISIG offers the ability for employees to request new permissions from an online catalog. Those requests are inputted into an automatic mechanism for approval, which, depending on the risk, answers the request in different ways depending on the estimated risk.
On the technical side, the solution is based on a database acting as a central repository and a web application server along with several main functionality modules:
– Access request module, which offers advanced management possibilities at the time of requests for access as well as self-serve possibilities (when a user themselves request some sort of access for themselves),
– Access governance module, which extends functionalities for separating permissions, compliance with SAP systems and access rights revision
– Access intelligence module, which offers role analysis and role mining capabilities.
ISIG presents a useful upgrade to existing IBM (and other non-IBM) products for identity and access management that enables identity management to be executed on a higher level than the built-in risk control and separation of duties rules are normally on now (typically on the system administrator or operator level), with which the tracking of the actual state of user roles and permissions is made much easier, the compliance with standards is also eased and a basis is formed for easier detection and management of risk.
Agile Team Bootcamp
The Agile Team Bootcamp combines two different approaches on creating an agile development team – the technological and methodological approaches. Through our own experience, we’ve learned that effective teams not only use the right tools for their job but also feel comfortable about using both technical and methodological agile practices. We believe that successful teams understand the owners’ business requirements and have quality communication with them, competently plan while taking their own capabilities into account in the given conditions, efficiently and transparently deliver value to the user and critically regard the results of their own work. In order to achieve all of this, they need a combination of the best practices, which you can learn at Agile Team Bootcamp. This service is tailored to development teams that wish to improve their working methods through applying technical and methodological agile (best) practices.
Get in touch
Want to hear more about our services and projects? Feel free to contact us.Contact us