6 min read time

Leveraging NetIQ for Identity Governance Gaps (Part 3 of 3)

by   in Cybersecurity

As discussed in my previous blogs, Assessing Your Access Governance Capabilities and Addressing Your Governance Gaps, NetIQ’s full platform approach offers some notable advantages to organizations as they strive to reach their identity and access objectives. Far lighter than the big enterprise solutions, NetIQ has always allowed IT teams to be nimbler in their approach to identity management. At the same time, NetIQ offers a more encompassing portfolio than the point vendors that synergize well together. For example, you can feed NetIQ’s Identity Governance (IG) risk information into the NetIQ Risk Service to include the inherent risk of both resources and users as data is being accessed. This integration offers far greater risk assessment fidelity than any other solution in the market, as well as the ability to automate a response to protect the organization being threatened.

Identity and InsightThe same can be said for using NetIQ products to achieve NIST identity governance goals that your organization might have. For example, IG is greatly enhanced by Identity Manager’s (IDM) event-based connectors that interact with the identity stores in a publish/subscribe model. This model allows IDM to enforce governance policies more forcefully than possible in competitive solutions. Even for identity stores not integrated directly through IDM, access information from Access Manager can be used to kick off an automated micro-certification to verify that the correct level of permissions is in force.

Developing the Best Least Privilege Model

As with any organization wide implementation, successful development of a valid and comprehensive foundation of permission policies are heavily dependent on commitment from management at the top. It takes their sponsorship and prioritization to get the required information and business owners to participate and focus on evaluating the services they provide to organize and define access criteria.

Your team’s first step is to use IG’s definition template to create application entities that will allow you to collect application and resource information.  Now they can arrange the consumers into logical entities in the form of roles. After this phase is done, your stake holders can use this information to define business roles and then rules that control permissions for each resource.

Raising the Effectiveness of Your Roles

Well-defined roles have the potential to simplify risk and compliance assessment for the governed environment because it is the underpinning of defining what the standard allocation of permissions is. The primary approach for shaping this is through well-defined roles. IG simplifies what can quickly become an overwhelming task by filtering down to only your relevant information for identifying people within the same business function. This information can be used to determine the baseline of what users should have access to and whether they can request that access without additional approval. It does this by consolidating relevant information through role mining tools that enable you to define a more capable model. You’re able to do this by seeing across your entire organization, identifying where people have relevant similarities:

  • After you have collected it into IG, you can do searches of what you have: similar attributes, similar location, department
  • Within IG, play with the different parameters that are assessed, and use that information to refine your policies.

Finishing Touches on Gathering Entitlement Information

With that groundwork in place, you’re at a point where you can complete your picture of who needs access to what and measure the associated risk. The culmination of all this work is being able to conduct successful certifications. IG helps you assemble a least privilege foundation by:

  • Automating the collection and validation of account information (identity, group, application, and permissions) across your environment.
  • Collect and update policies that control access to these resources
  • Calculating risk

As your roles are tuned up over time, depending on your environment your baseline may reach a point where accounts within those roles are granted permissions without having to make any type of requests, reducing burden on your supervisors and approvers. And despite this reduced overhead, a fine-tuned baseline will keep cost and risk down for your governed services.

Automating Requests, Approvals, Reviews

With entitlement management foundation in place, IG provides automated request and approval workflows.

  • Requester are offered a familiar users experience akin to online shopping where they add desired services to a shopping cart and send off the request for access.
  • Along with the request, approvers can be presented business, which may include cost, and potential risk criteria to help make an educated decision.
  • If needed, requests can then be passed on to the next level.

Beyond IG’s robust automation, your organization needs to monitor your protected information from two perspectives:

  • Dedicated monitoring solution to watch who and when specific resources are accessed
  • Monitor context and behavior to potentially respond if a risk threshold is exceeded
  • Ensure that all monitoring capabilities clearly and reliably associate a session with an identity

You’ve now reached a point where you can account for users that are granted access outside of that structure. These one-offs often need to be brought to the forefront of the information stakeholders (owner and security team) and incorporated into IG’s management so approvers and reviewers can make the right decision with relevant information about the account and resources should be at their fingertips.

Micro-certifications  

Once relevant all the information has been onboarded into your governance environment and your permission flows automated, you still need the ability to react to out-of-bounds risk. Out-of-bounds risks are situations that fall outside of the criteria accepted by the organization. This assessment check is done through permission checks called micro-certifications. One type of check is on a specific person, measuring permissions across the entire digital landscape. It’s not uncommon for a periodic process to be kicked off for each account, highlighting permissions to resources not accessed ever or for a defined period. Increasingly, these processes are being used to drive down the costs of specified account-based licenses.

The other type of micro-certification targets a specific resource, one that is sensitive and deserving of close inspection. This type of micro-certification is often initiated:

  • As a routine designed as a layer of protection for highly sensitive data.
  • When a permissions trigger is kicked off indicating that excessive permissions have been allocated for a digital resource.
  • In response to an alert or report of unexpected actual access the access management architecture.

Micro-certifications are a specialized process built to limit an audit to specific criteria. NetIQ allows you to automate this process to a focus area that kicked off the event. This ability to receive an event and quickly react with a specialized audit can be a powerful tool for increasing security and keeping costs down. For IG, this process inherits reviewer assignments and settings from the specified review definition. You can run a micro certification for any review type. If it’s part of your standard security practices, NetIQ lets you run multiple certifications in parallel, either on-demand or with a preset schedule.

By incorporating NetIQ’s micro certification to your security processes, you establish greater protections against the consequences of a breach as well as an audit find from a regulator agency. In contrast, manual certification processes are too time and labor-intensive and make them impractical. Without automation, your security teams will be subject to certification fatigue. Instead, automation enables you to maintain your security edge of these periodic processes.

Continuing the NetIQ Discussion   

Next week, I'll continue the NetIQ section of this mini blog series on how the portfolio helps you address your governance gaps. The two outstanding areas of discussion will be managing your SoD (separation of duties) commitments as well as simplifying your attestation and compliance commitment. Both of these topics are essential as your organization works to remain compliant with regulations that apply to them, as well as maintaining their consumer's trust.

 

Join our Community. Have technical questions about NetIQ Identity Governance and Administration? Visit the Identity Governance and Administration User Discussion Forum. Keep up with the latest Tips & Info about NetIQ Identity Governance and Administration. Do you have an Idea or Product Enhancement Request about Identity Management? Submit it in the Identity Governance and Administration Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below. 

Learn more and see What Is Identity Governance and Administration?

Labels:

Identity & Access Mgmt