In this section, we look at:
- Business-Driven Access Governance t is critical that your users always have the correct assignments and entitlements, i.e. role-appropriate. With a sprawling number of apps, systems, and users, without EmpowerID this is easier said than done.
- Audit All Systems you must audit this same mass of systems and applications. Though they know it is not the best way, many organizations try and do it manually. With EmpowerID, it is not only easy, but it is also automatic.
- Easy for End User Recertification this is the most common type of recertification required. Laborious and time-consuming, it often debases itself to be a “rubber-stamp” exercise. Read how EmpowerID turns this around.
- Powerful Tools for Auditors EmpowerID comes equipped with several tools to make audits (and your auditor’s lives) easier.
- Recertify All Your Critical Systems your systems and apps need to be able to talk to each other. If they cannot, then you will struggle. EmpowerID makes this a breeze.
- Online or Offline Revocation Fulfillment a disconnected system does not mean that the process must stop. Here we look at just how EmpowerID does it.
- Micro or Risk-Based Recertification EmpowerID is process-based and workflow-driven. This enables immediate reactions to any events changes in your authoritative system (and in-line with your organization’s own business policies).
- Role Mining Integration EmpowerID leverages role mining to minimize the number of security roles, reduce admin workloads, and to enhance your recertification campaigns.
Business-Driven Access Governance
It is important that all your users have the correct assignments, i.e. appropriate to their roles and at all times. Not only because the efficiency of your organization depends on it, but also because of the requisite legal and compliance obligations. These state that organizations must periodically review their access assignments
Unfortunately, due to the large number of systems accessed by the average user, as well as the static nature of the access assignments, for many organizations, this is easier said than done.
Indeed, for those with a significant userbase and inefficient processes, this will always be daunting.
EmpowerID’s access recertification simplifies and improves the efficiency of this entire process.
The EmpowerID approach is different to others. “Campaign-based”, each campaign or audit can cover a different area of your organization (or even different types of access and entitlements within these areas).
Auditors can also define campaigns as being either one-time or as scheduled recurring audit campaigns.
When the initial audit starts, a snapshot of user access and their entitlements is taken. This initial snapshot produces an immutable record of your organization’s security at that time.
From this, audit tasks are generated and EmpowerID’s process-driven approach keeps both users and the work required moving ahead to ensure timely completion and accurate results.
Moreover, this campaign method helps brings both business users and auditors closer together and, by allowing them to quickly review and validate user access to Cloud and on-premise applications, improves organizational efficiency.
Audit All Systems
As mentioned previously, EmpowerID’s access recertification process empowers organizations to periodically review and validate user access to Cloud and on-premise applications.
However, in large organizations, to truly gain visibility over who has access to what resources, you need to go further than that
With the myriad of systems involved, having the ability to seamlessly log, track, and report across all those systems is a challenge.
EmpowerID’s own experiences show that though some systems communicate with each other, this is rarely universal. Not least because of the inability to be able to connect and consume entitlement data, but also because of not understanding the idiosyncratic permissions models and inheritance used within applications.
Fortunately, EmpowerID provides one of the largest libraries of out of the box connectors for on-premise and Cloud systems available.
Once connected, EmpowerID’s inventory engine pulls in these complex system specific permissions into an easily reportable structure into our Identity Warehouse.
All actions connected to the identity warehouse are logged, tracked, and can be reported on. This granular level of functionality and control enables you to perform accurate, efficient, and easy auditing of all your systems.
For owners of non-inventoried systems, workflows are run to periodically import flat files of their data into the Identity Warehouse.
Easy for End User Recertification
The most common type of recertification is the manager’s annual recertification of employee’s access assignments.
Here, managers are presented with a list of their employee’s direct reports and access assignments. The manager must then review each assignment and state whether access is appropriate and still required, or inappropriate and not required
It sounds simple and easy, but a lack of automation and role-based access definition means that each user could have hundreds of individual access assignments. Each of which needs to be reviewed.
This is not only laborious and time-consuming, but is also fraught with human error.
Research shows that the sheer number of recertifications involved forces many to just “rubberstamp” access (in a “they had this access last year so they’ll need it next year” fashion). They, quite simply, do not have the time.
Unfortunately, for your organization, this is unacceptable, unnecessary, and poses unavoidable risk.
Instead, you can use an optimized and intuitive interface with which business users can quickly review their tasks.
This enables managers to easily distinguish between role assignments and individual nonrole assigned entitlements and to make quick, informed, and appropriate decisions
We designed the EmpowerID interface in collaboration with business users to ensure that your annual recertification is more than a “rubber-stamp” exercise that puts your organization at unnecessary risk.
Rather, it becomes an important tool in your arsenal. A tool that enhance your organization’s overall security, reduces your risk profile, and meets all your regulatory compliance obligations.
Powerful Tools for Auditors
Ensuring the successful and timely completion of an audit is the responsibility of your internal IT audit team. It is also a key concern.
EmpowerID provides several tools to assist your auditors:
- Identity Analytics- EmpowerID’s automation and Identity Analytics helps to ensure the timely and accurate completion of audits and reporting of results for both internal and external stakeholders.
- Notifications - audit participants are kept on task by flexible time-based email notifications and escalations throughout the entire process.
- Visual dashboards- auditors are also provided with visual dashboards to track organizational progress across multiple audits as well as drill down dashboards for their key audits.
- Metrics, Reports, and Stats- to simplify risk and access investigations, EmpowerID provides hundreds of analytic metrics, reports, and dashboard stats.
- Export- once the audit is complete, a flexible external auditor-approved report can export the results including all decisions and revocation actions for external auditors to verify compliance.
Recertify All Your Critical Systems
In addition to recertifying your users, you must also be able to recertify your systems and applications, too.
The reality today, of course, is that enterprise risks are scattered across many Cloud and onpremise systems.
To easily recertify these requires the ability to connect to and consume their data. Unfortunately, with the disparate permission models and inheritance involved, it is not as easy as you would hope.
EmpowerID alleviates this by having one of the largest libraries of out of the box connectors for on-premise and Cloud systems.
Once connected, the EmpowerID inventory engine then pulls in, maps, and stores these complex system specific permissions. They are then available in a single format for easy reporting, recertification, etc.
Non-inventoried systems can periodically import their data into the Identity Warehouse for analysis.
Note: EmpowerID also integrates with ServiceNow so that it can also perform immediate revocation of access or open a ticket, etc.
Online or Offline Revocation Fulfillment
Fulfillment is the revocation of access in managed systems based on an audit decision.
In a recertification, task owners decide which access is appropriate and which is not. Removals can then either be immediately processed or an optional review by the audit team—a Quality Check—can be performed first.
In either case, EmpowerID immediately actions removals sent for fulfillment via its configurable workflows and IGA connectors.
If the system is disconnected or “offline”, revocation requests are first batched as workflow tasks, and are then routed to the application or system owners that are responsible for maintaining access in those systems.
System owners can then either approve or certify that access has been removed manually in their system and, thereby, provide an audit trail.
When the next import of entitlement data takes place, this confirms the revocations were completed and also provides visible proof of the revocation in the audit report itself.
Micro or Risk-Based Recertification
Annual or quarterly recertifications are, at best, only a snapshot in time. Providing a glimpse at the appropriateness or risk level of past events.
Unfortunately, the delay between this snapshot and today can lead to gaps in security where vulnerabilities go undetected and unremediated.
What your organization needs is a means of constantly monitoring systems for changes and then being able to automatically react and recertify, as required. This is exactly what EmpowerID’s does
EmpowerID is workflow based and, in accordance with your own business policies, these workflows constantly monitor your organization’s systems for changes.
Microcertifications are immediate workflow tasks that are generated as soon as EmpowerID discovers an unapproved change in the membership of a critical group or application role.
When it detects these access or other event changes, it then triggers rapid, real-time “microcertifications” in response.
Because these are policy-based, EmpowerID understands the nature of these external changes and matches them accordingly. This includes with unapproved changes that originated in the external system itself.
In this workflow, the security team or application owner can then decide to either certify this new request as appropriate and permit access, or decide it is inappropriate and immediately revoke access in the external system.
In either case, the decision is recorded for review during the next scheduled periodic audit.
Role Mining Integration
Organizations need to perform role optimization. Without it, where access certification is required, managers are faced with the daunting task of certifying hundreds of individual technical entitlements per direct report
A role optimization program can easily reduce the number of direct assignments by 80% and present managers with a compact list of business-friendly roles to certify.
You will be pleased to hear that EmpowerID comes with a powerful Role Mining engine. Recertification can leverage this engine to minimize the number of security roles, reduce administrative workloads, and streamline recertification campaigns.
The benefits of this are enormous, not least by making your security more manageable, by minimizing your organization’s risk profile, and by putting a smile on the faces of both your auditors and managers.