Arguably one of the most esoteric and cryptic topics to quite a number of IT and business management is the concept of governance and how it applies to identity and access. My approach to this blogpost is to present the information in a hopefully clear and concise manner.
What does Jane Doe do in the Org?
So where did identity governance come from? This topic became big perhaps when the Enron issue occurred and companies faced SOX audits. The auditors (I was a SOX auditor sometime in my career) would walk in and the 3 key questions they would ask are
- What controls do you have on your business critical transactions and applications?
- What is your governance model for identity and Access?
- How do you monitor or validate your controls?
IT management was baffled and rushed around to find answers to these questions. Expensive governance systems were purchased and attempts were made to develop a Role Based Access System (RBAC). We will discuss RBAC later and depending on the identity maturity level of the organization can be a challenging task. I have seen organizations talk about the need for an RBAC system for resource delegation but have not talked about what will be the identity governance model of the organization which is what the RBAC system will be built on. Build the foundation first (governance framework or model) and then the components of the model one of which is the RBAC system. I will follow this structured approach to the governance series.
Let’s start from the beginning
Identity is born when a new employee begins with the organization. This identity originates and is primarily controlled in the HR system of the organization. This HR based identity will be connected to the single central security system (via a single IDM system) which will house the security identity of the user. All other identity systems must receive identity information from the central IDM system. The central security system will provide access to resources in the organization.
Birth of Identity and Introduction of governance
Okay, identity is born when an individual joins an organization. Now, governance comes in. Governance means the policies and rules that control or guide the actions of individuals in an organization.
So here are the requirements we want to see in the governance model
- What can the individual do? Based on their role in the organization what is their expected deliverable and what resources do they need to do their work?
- How do we define roles in an organization and will the management structure be based on Roles or location?
- Who will manage a role and determine who has access to a Role?
- How can you validate that the individual is still functioning in that Role? If not, what is the exit control?
- Is all this access and approval tracked in a central system for reporting?
Identity (IDM) Governance Model
A governance model shows how a user is given a digital identity in the organization and how resources are provided to the user to carry out the assigned functions.
Here are individuals involved in the IDM governance model
HR: Creation of the employee record. Manage organization policies that impact employees. End of employee record.
Employee: Individual hired by the organization to complete a set of tasks. This could involve a single role or a set of roles.
Supervisor: Define and manage all tasks required for an employee. Obtain, review, approve all access and resources that the employee needs.
Role manager: Manage a role, define all the resources needed to complete all tasks defined for the role.
Role Approver: Approve access request for roles
IT system manager: Manage access requests to IT systems. Translate business roles to IT system equivalent. Implement employee policies in IT systems as defined by HR.
Compliance/security/audit: Monitor actions by employees. Review governance logs for compliance to organization and regulatory policies.
Governance Model key participants
The governance model I have created below shows
- Organizational Roles will be created based on the HR profile of the employee. HR remains the authoritative source of employee information and so should control the default roles of the employee.
- The Manager knows the more specific roles that would be assigned to the employee. The manager can go to a ticket system and request additional roles for the user. This might also involve access to applications that are not assigned to Roles.
- Compliance/Audit will have access to a database where they can see role approval, assignment, attestation campaign information.
Assumptions for this model
- MIM 2016 will be the IDM system of the organization.
- Roles will be created in MIM 2016.
- There will be synchronization of data between the ticketing system (e.g ServiceNow, Remedy) and MIM 2016.
- HR data is relatively clean, meaning it’s well-structured and rationalized.
- Employees refer to FTE and contractors.
- MIM 2016 will be the source of authority for the identity information for most applications
- Applications will use AD security groups for access. If they have internal groups then there is an external sync (could be scripted) between feed from MIM to AD security groups and then AD groups to the applications.
- Application AD security groups will be assigned to Roles.
More details will be provided as we proceed in the Governance series.