In this section, we look at:
- Compliant Risk Management workflows allow you to add your own business risk policies to analyze and evaluate the exact level of privilege allowed.
- Access Intelligibility mapping the technical aspect to the business side has always proven problematic and error-prone. EmpowerID’s functions alleviates that.
- Risk Management for All Your Systems unsecure cross-system access between all your Cloud and on-premise systems and apps has always been a major risk up to now.
First, though, watch this short demo video about how EmpowerID handles risk management.
Compliant Risk Management
One goal of any organization is to efficiently deliver Compliant Access.
In your organization’s sense, Compliant Access means access that is both “position appropriate” and that adheres to your risk-related “business policies”.
Compliant Access not only keeps your organization on the right side of your legal obligations, but it also enhances your Zero Trust strategy.
By adding your own organization’s risk policies into its calculations, EmpowerID can determine if the least privilege ‘level’ would produce an unacceptable risk to your organization.
Identifying such cases allows your risk control owners to make informed decisions about whether to accept the risk and apply mitigating controls, or to reject it.
EmpowerID’s risk engine also supports both preventive and detective SOD simulation and validation. It does so using user-friendly dashboards and workflow processes that automate remediation and revocation.
Access Intelligibility
Your organization’s greatest challenge around identifying and managing enterprise risk is in understanding the actual business access that a users’ technical entitlements provide.
Unfortunately, there is a clear mismatch between the technical “system” world and the business “process” world.
The Identity Governance and Administration (IGA) system must bridge this divide by providing a common language or “Intelligibility Layer” that connects both. EmpowerID does this with functions.
Functions, In EmpowerID, functions map the physical actions that your business users perform (their job tasks), to the resultant action on the technical side.
Naturally, users can only carry out activities or actions that the business has permitted them to do, i.e. via their roles and entitlements.
Example functions that represent a risk are “Create Purchase Order” and “Approve Purchase Order”. (It would create a toxic combination for one single person to have authority for both these functions, hence the risk.)
Functions define the system-specific permissions (or roles) that grant someone the ability to perform these type of business actions.
EmpowerID ships with a large library of function definitions for common systems. Process owners and application owners may also use the function mapping tools in EmpowerID to define which application permissions or roles equate to which functions.
Risk policies use functions as building blocks for their calculations. These calculations determine who has access to, and can perform the function, and who is in violation of the risk policy, and cannot.
Risk Management for All Your Systems
For enterprises, the prevalence of Cloud and on-premise systems using apps with dissimilar permission and inheritance models poses significant problems.
The lack of direct connectivity and control here forces organizations to permit cross-system access just to keep their business functioning.
This limitation—plus the lack of visibility, logging, tracking, and other capabilities that will make you non-compliant—poses both a severe security risk and a major challenge.
EmpowerID meets both risk and challenge by providing one of the largest libraries of out of the box connectors for on-premise and Cloud systems available.
EmpowerID first connects these disparate systems
Following which, the EmpowerID inventory engine then ‘pulls’ in and maps these complex system and app specific permissions.
Finally, a permanent workflow then monitors for changes. When detected, and as per your configured business policies, these can trigger additional events and security alerts.
For risks selected for revocation, EmpowerID can leverage its connectors for immediate fulfillment or it can open a ticket in ServiceNow