June 8, 2016 By Fabio Sobiecki 3 min read

Identity governance comes along after organizations have already begun implementing identity and access management (IAM) tools and processes. Because it comes later in the IAM project, you are forced to organize and establish a new order to a working environment. It also means you will have to pull some people out of their comfort zone to create a better process for the company.

This may be a challenge, and the disconnect can lead to project failures. A good communication plan, with a clear timeline and project goals, can help. But how can you avoid a project failure altogether?

From Nothing to State-of-the-Art

You may want to spearhead a legendary identity and access project. You demand that everything be perfect and aligned to best practices — and then you fail.

But you would probably be successful if you evolved at each step. Start with the core systems where fraud can drastically affect your company. Once you have established a framework to better understand the target system, collect and mine system roles. This allows you to establish access roles and apply all the changes to an environment to increase your odds of success.

Some Rules Aren’t Set in Stone

Most of the time, operating under the “need-to-know” rule of information security is the right call: Give people the minimum level of access they need to do their jobs. But with identity governance strategies, you probably need to be more flexible.

It is common to have a role that will fit multiple employees, which will likely grant some rights that an employee truly doesn’t need to have. You must find this normal. If you can’t do that, it is better to have individualized roles for each employee and assign access to only that one person.

A word of warning: If you are not flexible, you will work hard. I’ve seen companies with 3,000 users and 5,000 roles.

Collaborate More

As you may have already discovered, you cannot do this project alone. Since the system in question is already working and integrated into existing IAM solutions, you have to operate as an organized society.

You will need to ask — and in some cases beg — to managed systems like your SAP to have access to their roles. This is like asking Gollum to hold his ring. So be careful in this interaction; explain you are not trying to take their precious but instead are helping them better manage access to the asset.

Think Practically for Identity Governance

I have noticed some failed strategies were doing well up to moment where you turn the key for daily operation. The roles were well-established, but the world is unstoppable. Organizational changes, as well as systems arriving and leaving, made excellent work disappear.

Even more than access review, when you check who has permissions, you should establish some cycle of role review to make sure that role makes sense for the organization and is still working from an information security standpoint. Don’t forget to nominate role owners to raise any relevant changes or questions to the information security team.

Build Toward Separation of Duties

Closer to the end of your implementation will be the holy grail: separation of duties (SoD). Most project goals include achieving this status, but sometimes we are so excited for it that preliminary tasks are forgotten. Don’t let the final goal break everything. Be patient and keep calm. SoD success depends on a very good access model implementation.

Look to the Future

The future of access modeling looks good. New initiatives such as user-managed access (UMA) were described by Gartner’s Hype Cycle for Identity and Access Management Technologies, 2015. According to UMA specifications, in the future, users will manage access by themselves by simply fulfilling requirements from target systems. In other words, the system has minimum requirements that users must meet to gain access.

Imagine a world without roles — or imagine a world where the expansion of cognitive computing provides a way for a computer to evaluate access and roles. Future technologies may help you, but you’ll need some kind of workaround for today.

Keep It Simple

Identity governance tools should be used to help you to achieve your goal — not to explore all possible product features. Most of the time, the features available don’t fit all your needs. However, some people believe they need to have everything working. If your roles are stable, you won’t need all these capabilities.

This should be your project vision: Keep it as simple as possible. Fewer roles lead to better management and operations. If some systems at your company are secondary, leave it for a second phase or keep it out of your scope.

Read the white paper: Protect your critical Assets with Identity Governance

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today