This is follow-up to a previous article about access management. Be sure to read that first installment for the full story.
When you have several heritage access management or access governance tools spread throughout the corporation, the view of an employee’s access is splintered. When security solutions are siloed, owners of applications and purveyors of shadow IT within the business unit often fend for themselves by creating spreadsheets, scripts and programs. They also worry about conforming to policies and maintaining compliance to pass internal and external audits.
To shine a light on this disjointed access data, employees, managers, security professionals, application owners and auditors need a single view of all accesses throughout the organization.
A Consolidated View of Actionable Access Data
When presented on a single pane of glass, this access data is powerful. It helps employees understand their privileges and enables them to track their own requests and approvals. It also helps managers and, in same cases, application owners control access and determine what level of access to grant employees.
With a consolidated view of access data, organizations can move from simply seeing data to acting on it. Actionable dashboards enable security teams to bring visibility to otherwise hidden data, which is the first step toward access management transformation.
For managers, application owners and employees alike, user experience can be a double-edged sword. Many employees cite lack of a single tool to view access data as a key pain point. The need to use several disparate access management tools is not conducive to productivity. Furthermore, a fatigued user experience can lead employees to adopt alternate access methods that may be insecure.
A Manager of Managers
To consolidate this disjointed access data into a single pane of glass, we created a manager of managers model. We integrated heritage access management tools via connectors and simple file transfer methods to our centralized access platform. The critical step here is to design a many-to-one data model.
We avoided boiling the ocean. Being surrounded by agile gurus and true practitioners, we used small, iterative steps to achieve our goal. We knew it would be hard to come up with a model that would never change, so we made sure our data model, while being well-managed and suited to fit most of the heritage tool’s requirements, remained flexible. Flexibility can be both a boon and curse, however, because with greater flexibility comes greater responsibility.
Transformation should not be merely a lift-shift process — it must improve upon the data quality and, especially, the process. To boost data quality, the security team should question entitlements, roles and groups, representing only the best and most useful. For example, the team can improve the process by reducing the number of steps required to request access. The final step is to introduce new functionalities, such as risk-based access controls.
Ensuring a Silent Access Management Transformation
To ensure a nondisruptive, or silent, transformation, the first step is to represent the access data from heritage tools in the centralized access platform. Then create a connector using the access management platform as a one-stop shop to view all accesses. Next, build two-way connectors to heritage access management tools. This enables the platform to process access requests and send the data back to the heritage tools.
Once users begin to use this platform for all their access-related needs, unplug applications from the heritage tools and move them to the new platform. This virtually seamless transition achieves our silent transformation goal.
Stay tuned for the third installment, in which we will discuss the next steps in your access management transformation, such as managing security’s impact on the business and introducing risk-based access controls into the environment.