Leveraging NetIQ for Identity Governance Gaps (part 3 continued)

by Micro Focus Employee in CyberRes

As mentioned in my previous blog on Identity Governance Gaps, here is the second half of part 3 and the final blog in this mini-series. It covers what NetIQ does for SoD (separation of duties) and attestation.

Managing SoD Across Your Organization

 Whether for compliance reasons or a fundamental part of an organization’s security strategy, separation of duty (SoD) is a core safeguard. It prevents collusion, which is often an essential component of an act of fraud or other types of information abuse. SoD also protects against someone obscuring a data breach or circumventing protections. Although the notion of preventing conflicting responsibilities or someone reporting to themselves in practice it can be pretty complex. And while SoD has been a long-time security practice, the need for a rock-solid approach to implementing it is real. Compliance risks to the organization for failing an audit include SoD: Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), HIPAA Rules 1996, and most recently GDPR for ensuring privacy.

Unlike other common identity and access governance solutions, NetIQ offers a 360-degree view of access to sensitive information that adds strength and confidence to attestation reports. That's why customers frequently add NetIQ Access Manager (AM) to their identity and governance installation. It's not uncommon for customers to deploy NetIQ provisioning, governance, and access management as part of a single configuration. When they do so, customers benefit from a powerful synergy:

  • Identity Manager: provisioning and interaction with each resource’s identity store uses an event-based pub/sub model. It’s incredibly flexible and assures that your centrally managed identity and permissions profiles are in force.
  • Identity Governance: delivers a full governance platform, adding a layer of purview to security teams and information owners not available in provisioning frameworks. Leveraging its comprehensive permissions library, capable of generating reports easily consumed by the organization and auditors without the need for any type of manual collation.
  • Access Manager: used in conjunction with IG & IDM provides a 360 approach to access control: IG/IDM to design, enforce, report on permissions both real time and historically. Access Manager for a history of actual access. Of course, there should never be an instance where someone accessed a resource that they were never supposed to have rights to which is one of the reasons why AM is often included in the deployment

Drilling down further into NetIQ Identity Governance 

Narrowing our view to specifically IG, it has some features that merit concrete call-outs because they enable you to have fewer SoD policies, making them notably easier to manage.

Dynamic criteria

IG enables you to design more effective policies that simplify your quest to reach a solid level of SoD processes that you can feel confident in. Rather than being forced to build a library of static policies using groups with dynamic criteria, you can design policies that are far more powerful and intuitive to read. This higher-level approach means that as new users are onboarded into the organization, their attributes rather than group membership are used to comply with SoD requirements. Another result of IG’s dynamic policies is that you will be able to accomplish your security requirements with far few of them, which is another big win.

Preventive Violation Alerts.

When a user submits an access request, if it violates a SoD policy, IG warns the requester at that time. It does this by assessing the request against all the items in the shopping cart of requests, as well as all the requesters existing permissions. IG also alerts all of the approvers of the request that doing so will potentially violate a SoD rule. To control how requests are evaluated, you can further tune the rigidity of them:  

  • Tolerable – requests flagged as potentially violating SoD requirements, but are allowed to be overridden by two approvers (4 eyes approval).
  • Toxic – a request that should never be allowed approved; poses direct threat to the organization.

Violation Blocks

IG also allows you to distinguish permission combinations that are SoD tolerable from ones that must never be allowed, meaning that approvers are not even allowed to approve it. Not only does this automate security to a stronger level, but it alleviates the problem of security administrators having to manually make the final call on a permissions request which too often becomes an unwelcome distraction to their primary duties.

Attestation and Compliance

Identity governance attestations are used in a couple of different ways. It can serve as an important tool for management to verify that their internal security processes are meeting their goals for controlling their risk. This type of deliverable certifies that access levels for all protected resources comply with their defined criteria and intent. Based on the results of this type of attestation, identity governance policy changes and other protections may be implemented.

External attestations are used to demonstrate to regulatory agencies that your organization is in compliance with its policies. Based on the industry, this process may be part of a self-audit or deliverable to an external agency artifact certifying compliance. Like internal audits, the key capabilities audit teams need are getting the complete picture without manual effort and publishing reports that show compliance with specific requirements. Beyond that, NetIQ’s attestations capabilities already listed for Identity Manager, Identity Governance, and Access Manager also apply here.

Putting it Altogether

That wraps up this blog series on measuring your governance capabilities, evaluating its effect on your organization’s ability to manage risk, and how NetIQ can help you significantly upgrade your governance and security posture. Put all three sections of this series together, and you have an identity governance buyer’s guide. As a note of caution, while I cover the synergistic value for governance that NetIQ Identity Manager, Identity Governance, and Access Manager offer, the value of IG’s information to the overall NetIQ platform is yet another topic.


Join our Community. Have technical questions about NetIQ Identity Governance and Administration? Visit the Identity Governance and Administration User Discussion Forum. Keep up with the latest Tips & Info about NetIQ Identity Governance and Administration. Do you have an Idea or Product Enhancement Request about Identity Management? Submit it in the Identity Governance and Administration Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.   


Identity & Access Mgmt