KuppingerCole Report
Advisory Note
By Warwick Ashford

Redefining Access Governance: A broader perspective

Traditional approaches to Access Governance are no longer fit for purpose due to the complexity of modern IT environments, increased security risk, and growing regulatory compliance requirements. A new risk-based and policy-based approach is needed to reduce the cost, effort, and complexity of overseeing and enforcing access entitlements, including access reviews and recertification.

1 Executive Summary

Reducing the risks associated with entities that have unnecessary access privileges has never been more important due to digital transformation, incre ...

Login Free 30-day Select Access Get full Access

2 Highlights

  • Access Governance is an important component of IT security and regulatory compliance.
  • Access Governance has never been more important, complex, an ...
Login Free 30-day Select Access Get full Access

3 Access Governance – An overview

Protecting an organization’s key digital assets from unauthorized access and providing evidence of that protection is an increasingly important disc ...

Typically, Access Governance is the combination of a set of essential building blocks supporting an enterprise in the processes of:

  • Modelling and ...
Login Free 30-day Select Access Get full Access

4 Typical Access Governance deployment today

Access Governance has been implemented in many enterprises as an important building block of overall governance capabilities, but few organizations ha ...

Login Free 30-day Select Access Get full Access

4.1 User and access life cycle management

The management of corporate identities and their access to resources is the combination of both IAM
technology and the application of well-defined pr ...

Login Free 30-day Select Access Get full Access

4.2 Role management

Many organizations are developing and deploying roles without an overall role management process in place. As a result, role management is often focus ...

Login Free 30-day Select Access Get full Access

4.3 Access Request Management and Recertification

Manual controls based on attestation and recertification processes are important building blocks in corporate Access Governance systems. They form a m ...

Login Free 30-day Select Access Get full Access

4.4 Auditing and Automation

Several existing Access Governance systems have added auditing capabilities to inspect for compliance with internal controls, which include automated ...

Login Free 30-day Select Access Get full Access

4.5 Shortcomings of typical compliance-focused Access Governance Solutions

An appropriate entitlement recertification scheme is essential for meeting regulatory requirements. Evidence for having completed and documented the r ...

Login Free 30-day Select Access Get full Access

5 Redefining Access Governance

Beyond a strictly compliance-oriented regime, Access Governance needs to be redefined and redesigned to meet the changing requirements for Identity an ...

Login Free 30-day Select Access Get full Access

5.1 Improving existing Access Governance and recertification processes

With the first steps already made in many organizations, the following questions require appropriate answers to transform current Access Governance ap ...

Login Free 30-day Select Access Get full Access

5.1.1 Improving existing Access Governance and recertification processes

A growing number of applications within an organization implementing all kinds of business processes means that the number of roles and entitlements i ...

Applying a common set of criteria with an overall metric for the level of risk to all entitlements across your business is key for understanding an or ...

Login Free 30-day Select Access Get full Access

5.1.2 Time-limited assignment of high-risk access

Which brings us back to reducing and distributing the recertification workload: Once a risk-based approach as described above is in place, it has to b ...

Login Free 30-day Select Access Get full Access

5.1.3 Re-request instead of re-approval

Requesting an entitlement usually means asking for a privilege for an unlimited amount of time or at least until the next recertification deadline. Af ...

Login Free 30-day Select Access Get full Access

5.1.4 Event-triggered processes complementing scheduled reports

One of the key requirements for modern organizations is agility: the quick response to changes in business, the underlying organization, processes, se ...

Login Free 30-day Select Access Get full Access

5.2 Access Intelligence and Automation

It is obvious that these new types of checks cannot be executed manually. For many types of events this requires access to near real-time data or actu ...

Login Free 30-day Select Access Get full Access

5.2.1 Complementing Access Governance with Access Analytics and Access Intelligence

A variety of vendors provide appropriate tools to implement Access Intelligence functionality. The actual product design can vary. Several vendors hav ...

Login Free 30-day Select Access Get full Access

5.2.2 Continual analysis and new types of controls

Implementing Access Governance, Analytics, and Intelligence systems allows a new category of controls, based on the automated application of rules and ...

Login Free 30-day Select Access Get full Access

5.2.3 Quick win findings

Issues and risks that are otherwise difficult to identify are typical quick win findings when introducing Access Intelligence, which highlights:

  • A ...
Login Free 30-day Select Access Get full Access

5.2.4 Management and audit transparency through reports and dashboards

With Access Governance information being available on a daily or even up-to-the minute basis, a completely new quality of evaluations and reports is m ...

Login Free 30-day Select Access Get full Access

6 Considerations for future Access Governance

Since the introduction of most existing governance solutions, the Identity and Access Management environment has changed fundamentally. New roles, e.g ...

Login Free 30-day Select Access Get full Access

6.1 Dynamic Authorization Management

Dynamic Authorization Management (DAM) is aimed at simplifying access management by externalizing policy-based authentication and authorization decisi ...

Login Free 30-day Select Access Get full Access

6.2 Data Governance

Data Governance, formerly often referred to as “Entitlement and Access Governance (EAG)”, describes solutions that add support for fine-grained en ...

Login Free 30-day Select Access Get full Access

6.3 Privilege Management

Managing and monitoring elevated access rights is the domain of Privilege Management Systems. Internal users abusing their entitlements deliberately o ...

Login Free 30-day Select Access Get full Access

6.4 Integration into corporate GRC environments

With the scope and potential functionality of Access Governance and Access Intelligence architectures being substantially extended, the integration wi ...

Login Free 30-day Select Access Get full Access

6.5 IDaaS and federation

Adapting to changing Identity and Access Management requirements in many cases requires IAM to be available outside of the organization’s perimeters ...

Login Free 30-day Select Access Get full Access

6.6 Identity Fabric

In the light of the proliferation of identities and identity types that modern enterprises need to deal with, KuppingerCole Analysts recommends that o ...

In this context, we use the term “fabric” to describe a set of connected IT components that work together as single entity. An Identity Fabric, th ...

Identify Fabrics are focused on delivering the APIs and tools required by the developers of the digital services to support advanced approaches to IAM ...

Login Free 30-day Select Access Get full Access

7 Recommendations

Compliance with regulatory requirements remains a key goal of Access Governance, but there is also much potential for improving overall security, comp ...

Login Free 30-day Select Access Get full Access

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top