1 Executive Summary

Reducing the risks associated with entities that have unnecessary access privileges has never been more important due to digital transformation, increased cyber-attacks, and the growing number of security and privacy regulations around the world.

Access governance (AG), therefore, is an increasingly important aspect of information technology (IT) security management as organizations seek to comply with regulatory requirements and manage all access-related risk in a more strategic and comprehensive way.

However, credential theft is a top tactic for cyber attackers to breach IT security and there is a growing number of identities, both human and non-human, that have associated access rights. As a result, Access Governance has also never been more challenging.

Traditional approaches to Access Governance that are based on static, application, and role-based access rights and manual recertification processes are inadequate for enabling companies to ensure that everything and everyone has all the access that is needed for the business to function, while at the same time ensuring that there are no unnecessary entitlements exposing the company to unnecessary access-related risk. Manual processes cannot cope with the volume and complexity of access entitlements in most modern, hybrid IT environments. For this reason, traditional approaches to Access Governance are also inadequate when it comes to the goal of reducing the cost and effort involved in allocating, enforcing, reviewing, and recertifying access rights.

Organizations need to change their approach to Access Governance to ensure that as many processes as possible are automated, and that access reviews and recertification processes are simple and easy for business managers to understand. This can be achieved by reducing the number of approvals required and focusing on the entitlements with the greatest associated risk.

Organizations need to move beyond large, manual recertification campaigns. These are challenging because those tasked with the recertification process are typically confronted with huge matrices of entitlements expressed in technical terms rather than in terms of processes and activities that business managers understand. This makes it difficult for business managers to make good decisions about which entitlements to approve, revoke or modify.

This advisory note identifies the strengths and weaknesses of traditional Access Governance solutions, outlines the new and emerging challenges facing Access Governance, and examines the role of new technologies for collecting and analyzing access data in real time to enable automated and ad-hoc evaluation of policy-based and risk-based rules to meet modern Access Governance requirements.

Forward-looking organizations should re-define Access Governance to go beyond static entitlements in systems, applications, and services to include the governance of all types of access at all levels, including devices, networks, and data with the support of real-time analytics using Machine Learning and other Artificial Intelligence (AI) technologies.

This broader definition will ensure that attention is given to applying policy-based governance to Identity risk, Data risk, and Enterprise Risk, including IT and Access Risk. All these aspects of Access Governance should be supported by a set of tools that enforces a set of centrally defined access policies on premises, in the cloud, and across managed services.

This approach will further future proof the business by supporting the Zero Trust security model by enabling Access Governance for all data, systems, and applications, making Access Governance a strategic part of corporate governance and proactive security management.