“You do not have the rights to access this file”, behind this simple message lies the result of a central security policy for companies: Identity and Access Governance (IAG). Indeed, compartmentalizing access to certain data can be a strong weapon in ensuring compliance with regulatory procedures or simply the security of company data. Proper allocation of rights and their periodic review do not hinder the company’s activity and take into account the needs of end users. The optimal result must be pursued as soon as Identity and Access Governance is in place: how can this be achieved?
Whether the decision to implement Identity and Access Governance is the result of a recommendation following an audit or the implementation of a regulation (e.g. RGPD…), it is imperative that the concerned business lines are involved from the scoping phase. The objective of IT security or compliance will obviously continue to be a priority and the inclusion of end-users will make them aware of the stakes and constraints. The chosen solution will thus remain operational on a day-to-day basis. The involvement of the business lines is materialized during the framing and analysis phase so that the issues and priorities of each of the stakeholders can be collected in a cross-checked manner. Another relevant tool consists of drawing up dictionaries of clearly expressed technical rights for the business lines in order to translate the technical codes into understandable wording. And, as the implementation of Identity and Access Governance goes hand in hand with changes in the processes (how profiles are drawn up, how access is reviewed and controlled, etc.), this early involvement of the business lines makes it possible to give the players a sense of responsibility and to prepare the way for the inherent changes.
The other guarantee of the successful implementation of a successful IAG remains to rely on dedicated tools in all phases of the project, from the phase of analysis of existing raw data to the phase of periodic review of the accesses given. The implementation of a flexible solution and an iterative approach quickly proves to be beneficial. Indeed, following the phase of inventorying existing identities and access (profile analysis), it will be necessary to propose a translation of the governance through a dedicated solution. This means agreeing on functionalities and settings that can be more numerous (consequence of a flexible solution to be able to respond to different needs). By adopting an iterative approach, the exercise is more serene for everyone. A good practice that is often adopted consists of quickly proposing an initial version of the solution’s configuration, presenting it concretely and visually to users and collecting their comments, then incorporating them into a forthcoming revision of the tool’s configuration. By proposing iterative versions in this way, the product is built with the users. The solution’s set-up modification cycles must follow the principles of Agility and be relatively short in order to keep all the stakeholders involved and to deliver results that are as close as possible to the users’ needs. The principles of iteration must also be integrated into the approach for deploying the solution on the company’s IT ecosystem. It is preferable to start with a limited scope of applications and extend it in successive batches following a roadmap. The introduction of the first applications within Identity and Access Governance will allow the first user feedback to be collected and continuously improved for further deployment.
As IT security has become everyone’s business, executive management is increasing the number of projects related to process security. With new and lighter methodologies, more flexible solutions and an educational and inclusive approach, these projects can become effective triggers for spreading awareness to security issues. It is also an opportunity to enhance the value of the operational stakeholders in redefining part of their recurring processes.
Tribune written by Alexandre Huynh-Van-Loc, senior consultant at Kleverware