AllH2FY20 8 Best Practices for Identity and Access Management
H2FY20 8 Best Practices for Identity and Access Management
Permissions
require periodic
recertification—
you need to
review who has
access to what
and determine
whether or not
they should
still have those
permissions.
problems. Implementing a
“request and approval” workflow
provides an efficient way to
manage and document change.
A self-service user interface
(often web-based) enables
users to request permission to
resources they need. Data owners
and custodians can respond
to these requests, helping the
business ensure appropriate
access, while removing IT from
the decision- making role in
permissions management.
You might begin by defining
different kinds of permission
sets, each with its own workflows.
This enables different kinds of
data and tasks to be treated
appropriately, depending upon
their sensitivity. Take the time to
define who can control that list of
services, who is responsible for
managing workflow designs, and
so on. For example, financial data
might require more extensive
approvals when changing
permissions than company-wide
information (such as details about
the next company picnic), which
might be changed with relatively
little workflow required.
5. Automate provisioning
You need to manage new users,
users who leave the organization,
and users who move or are
promoted or demoted within the
organization. Provisioning, deprovisioning and re-provisioning
are often time-consuming manual
tasks, and automating them
can not only reduce overhead
but also reduce errors and
improve consistency.
These provisioning tasks typically
involve connections to numerous
3
systems, including email, ERP
and databases. Prioritize these
systems so that the most
important and visible ones can
be automated first, and clearly
define and document the flow
of data between these systems
and your identity management
toolset. Focus first on automating
the basic add/change/ delete
tasks for user accounts, and then
integrate additional tasks such as
unlocking accounts.
6. Become compliant
Many companies are now affected
by one or more industry or
governmental regulations, and
your identity management system
can play a central, beneficial role
in helping you to become and
remain compliant. You’ll need
to focus on clearly defining and
documenting the job roles that
have control over your data,
as well as the job roles that
should have access to auditing
information. Define compliance
rules step by step, and assign
each step to a responsible job
role. Integrate rule checking in
your identity management system
and workflow operations to help
automate remediation of incorrect
actions; this will help improve
consistency and security as well
as compliance.
7. Check and recheck
In a well-designed identity
management system, permissions
are typically assigned to job
roles rather than to individuals,
but organizations are still likely
to simply assign permissions
as needed and never review
them again. This practice invites
security risks.
With One Identity
Manager, identity
management can
finally be driven
by business
needs, not
simply by what
IT can do.
Permissions require periodic
recertification—you need to
review who has access to what
and determine whether or not
they should still have those
permissions. Define job roles
within your organization that
can recertify permissions, such
as system owners, managers,
information security officers and
so forth. Recertification can be
defined in a workflow in which
data owners and custodians
review a current permission
set and verify the accuracy (or
inaccuracy) of that set. The
idea is to regularly make sure
that the roles and people who
have permissions to resources
should continue to have
those permissions.
This process should also include
recertification of job role
membership to ensure that the
users assigned a given job role
are still performing that role
within the organization.
8. Manage roles
Permissions are best assigned
to job roles rather than to
Corporate
HR
Control
objectives
individuals. Making those roles
correspond to real-life job tasks
and job titles is a powerful way to
manage identities and access over
the long term. A certain amount
of inventorying and mining will
be needed to accurately identify
the major roles within your
organization, based at least, in
part, on the resource permissions
currently in force. Through
user self- service IT shopping
cart, users request access to
the appropriate resources and
services. This way, a user can
request access to “non-personal
human resources information”
(for example) without needing
to understand the underlying
technical details required to make
that happen. Once a user places
such a request, the owner or
custodian of the affected data
has the opportunity to review
and either approve or deny
the request—taking IT out of
the permissions management
loop entirely.
You’ll also need to define who
will manage these roles in order
to ensure that roles are created,
Work?ows
Policies
One Identity Manager
Auditor
reporting
Compliance
dashboards
Directories, email systems, ERP systems, Windows-, Unix- and Mainframe-based resources
Figure 1. One Identity Manager provides comprehensive yet simplified identity and
access management, which enables organizations to follow the eight best practices
for IAM outlined in this brief.
4
Please complete the form to gain access to this content
