Securing the Digital World

When Identity Governance Gets Tough, the Tough Get Help

Mar 07, 2018 | by Tim Norris |

There’s no getting around it: Identity governance and administration can be challenging and complex components of IT security. Whether it’s carrying out “Joiners, Movers, Leavers” processes, handling access requests, doing access review certifications or taking on any of a number of other governance-related responsibilities, it can often seem like there are a dozen different ways to approach the work at hand, and very little clear guidance for what might be the best approach. And, of course, “best” is a relative term that can mean something different to different organizations, adding even more complexity to the scenario.

Technology helps by bringing automation and standardization to identity governance and administration. But the greatest value comes in knowing how to use that technology to its greatest advantage. That’s why, through many years of helping organizations with identity governance and administration projects, RSA has developed recommended practices for various governance challenges that organizations can apply to their own situations to streamline the work and lighten the load. Here are three examples of RSA-recommended practices for identity governance and administration processes.

Joiners, Movers, Leavers: These recommended practices facilitate moving effectively through the identity lifecycle, from the time someone joins an organization, to the time they spend in different roles there, to the time they leave and possibly even rejoin. RSA offers recommended practices for evaluating data sources, identifying user data that specifically supports identity management and defining the processes associated with the identity lifecycle (such as keeping track of key milestones like start, transfer and leave dates).

Access Requests: Recommended practices for handling access requests include putting controls in place that will make it easy to move quickly and flexibly on requests, with the aim of providing convenient access to resources while still protecting the business. These recommended practices simplify the access request process by breaking it into categories (planning, governance, remediation and automation). Within each category is specific guidance for creating measures of effectiveness, regularly updating ownership of processes and approvals, and other recommended practices.

Access Certifications: We explored in a previous post the challenges associated with access certification reviews and how technology can be designed to help address them. Recommended practices in this area help ensure organizations make the most of that technology. They include assessing how data is collected and verified for certifications, determining the most effective methods of getting user data, establishing parameters for revoking access, deciding how to measure compliance and many more. RSA also offers a checklist of roles, activities and issues to watch for in the access certification process.

At RSA, we’re always looking for ways to make identity governance and administration easier for identity managers and business owners. In addition to recommending practices like the ones described here, we’ve also recently introduced a variety of pre-packaged implementation offerings for off-the-shelf technology solutions from RSA in this area. Visit us online to learn more about these and other highlights of the latest release of RSA® Identity Governance & Lifecycle.