What is access governance? A brief deep dive
Access governance is the evolution, the next great step if you will, in the identity and access management world. Access governance is a more robust, holistic approach to managing user access, network shares, permissions, and allows organizations to peer easily into the entire goings on of an organization. Access governance is like king of the hill, where the view is long and clear and there’s little that can knock it down.
Computer Weekly describes access governance as “governing who has access to what within an organization.” That’s a bit of a thin description once you get into the details, but it’s a good start. The magazine describes access governance as a strategy that is “much stronger” than “access management” since “governance” implies that the control of access is driven by policy as well as procedure. Fair enough.
First, some background. Those of us in the identity and access management – and now the access governance – game, know that there’s been a great deal of advancement and evolution in this sector in recent years.
While the solutions have done a great deal to enhance security, automate operations and manage compliance and audits, among other tasks, the solutions have allowed IT leaders to tick off boxes on their checklist of needs that need to be managed, but they are quite singular in their approach. In a sense, the visibility provided into the entirety of the organization simply is not there across all systems. We, our clients and users of IAM solutions are discovering that they need more visibility into who can access their key resources and how.
Access governance simply (or not so simply) provides a broader level of oversight and accountability than is typically afforded to system administrators. Accounts configured, or created, access rights assigned or solutions used by users, can all be tracked, organized and managed. Via Active Directory, for example, access governance means managers can view all accounts from a single vantage point.
What this means is that IT managers can pull together and organization’s information, such as who has accounts on what systems, when those accounts were last used, what the accounts enable the account holders to do, and who has responsibility for approving the access provided, all while making it accessible and viewable from one place.
From there, users can “spot vulnerable accounts and cases of excessive access” — and determine what to do to resolve any potential issues found. You also have a basis from which to perform periodic effective account reviews — one of the underpinnings of good security — and to make ongoing decisions about who should retain, lose, or be granted access.
Access governance technology allows for tracking accounts on all kinds of systems — access to applications, databases, shared file systems, data centers, access control, backups, privileged passwords, network devices, and printers. The larger and more complex an organization is, the more difficult it is to control everything in the organization, thus, the goal of access governance is to provide you that view and that control in a way that is easier to manage.
Access governance systems also show you a point of view from every system, an overview image that can be taken to the granular level if required. In so doing, you can review accounts on particular systems or applications and you can examine individual employees and review their access to various resources. You can schedule access reviews and then track when they are complete. In some cases, you can automate account closures and access requests, making sure these activities are approved by the proper people.
Access governance addresses “privilege creep” (when individuals change responsibilities, but don’t shed accesses that are no longer appropriate), stale accounts (accounts that remain after their owners leave the organization), orphans (accounts that don’t seem to “belong” to anyone), and shared accounts with no one individual answerable for their use.
Access governance also allows IT leaders the ability to perform security audits so they can review the entire system, see access points and address any problems that arise.
As access governance use grows and evolves in the identity and access management world, it gradually envelops and supplants identity management. Access governance is a more robust than former identity management solutions, and, as outlined here, allows organizations to peer easily into the entire goings on of an organization. Access governance is the king of this hill, but the long view of things seems to suggest its reign will be long lived.