The definition of Identity Governance constantly evolves as new risks emerge and software vendors improve the capabilities of their products. Meeting the functional needs of your business as well as protecting your internal and customer’s data is a core competency of an identity security system. How a business goes about meeting these needs can change significantly across industries.
This article considers the latest requirements we’ve seen across new customer implementations, workshops, and public tenders which gives us insight into where Identity Governance is heading. Below is a list of 8 trends we’ve identified – we believe these trends push the capabilities of Identity Governance beyond basic ‘provisioning’ and ‘access review’. A true Identity Governance system should reduce risk, improve user experience, and take pressure off your technical teams. So, in no particular order, let’s explore what should be on your radar in 2022:
1. Outlier & Out-of-Band Event Detection
Your systems contain accounts which allow people to log in and perform tasks at various permission levels. Quite often there is a fringe set of accounts that are shared, obsolete or simply forgotten about, without proper management these accounts present a significant risk to your business. An identity governance tool will map accounts in connected systems to a person based on simple or complex logic. When this task is completed, a list of unmapped accounts can be reported on. This provides valuable insight and transparency to capture outlier accounts and act on them to reduce your organisational risk.
Additionally, if changes are made to an account outside of your Identity Governance solution, the system should detect this event and a notification or remediation process will trigger immediately and automatically. This reduces the risk of rogue or unauthorised administrative events from causing significant damage to your business.
2. IT Service Management Integration
Whilst an Identity Governance solution might have some basic IT Service Management (ITSM) capability baked in, your business might have already made significant investment in a specialised solution. Ensure your Identity Governance complements your existing processes. This could be in the form of a plugin or custom development to integrate the two systems. Consider the effort involved in a Do-It-Yourself custom integration compared to something that comes Out-of-the-Box.
Onboarding identities may be broken up into different categories, such as low risk identities which can be automatically created, and high risk or privileged identities that require a dynamic or multi-level approval process. How Identity Governance products implement workflows will differ. Ensure you have a good understanding of your workflow process and assess whether this aligns with the capabilities of your proposed Identity Governance software solution.
4. Role Mining using Data Analytics or Artificial Intelligence/Machine Learning (AI/ML) Capabilities
One of the more time-consuming tasks in any Identity project is the definition of roles and their assignment to users. Recently, automated role mining has become prevalent in project requirements. With role mining, your Identity Governance solution will recommend roles based on existing access which will give you the option to package and deploy the role at the click of a button.
Note: The term AI/ML is being thrown around a lot by software vendors, it’s worth digging a little deeper to see how this technology is implemented and if you believe it will work for you.
5. Real-Time Separation of Duty (SOD) Detection
Separation of Duty policies assist in preventing people from holding a combination of access to systems that is considered ‘toxic’. E.g. Being able to request a payment, as well as being able to approve a payment in your business.
Ensure that your separation of duty policies are applied in real-time when people request access in addition to a traditional scheduled SOD detection report. Combining these two approaches provides greater coverage and reduces the risk of bad actors combining toxic combinations of access in your business.
Evaluating SOD policies at request time can prevent people from receiving toxic combinations of access in the first place.
Continuing the traditional SOD report approach will catch any combinations of access that people may have inadvertently received, e.g. through manual, or out-of-band access assignment.
6. Transient Workforce Management / Non HR sourced identities
Handling Non-Employee identities can be a considerable challenge for IT teams. The transient nature of these users means that traditional HR-aligned onboarding/offboarding processes are thrown out the window. Managing this in your Identity Governance solution should include checks-and-balances such as approval workflows and audit trails. This can reduce a significant amount of manual effort overhead in your business.
7. Extended Review Capability
It’s one thing to perform periodic reviews on user access, but who’s looking at the permission structure? A trend we have seen is that organisations are looking to increase visibility on how roles are configured, and if changes are made, is someone reviewing those changes?
8. Privileged Access Management
Recently, a push for privileged user session monitoring and management has been tied into Identity Governance implementations. Some IGA vendors have a PAM capability as part of their product offering, others do not. This may require engaging multiple vendors to cover governance and privileged access requirements separately, in which case, consider the effort involved in integrating disparate vendor solutions and if any off-the-shelf plugins exist.
The key takeaway is that Identity Governance continues to play a central role in your organisation and cannot be considered a ‘set and forget’ solution. It is worth the investment in keeping your Identity Governance system up-to-date and making the effort to implement new security capabilities that meet modern risks head-on.
Assertiv Consulting are the experts in Identity Governance and can help you recognise, identify and rectify risk gaps in your business. Our team are specialists across a wide range of solutions and vendors, draw on our experience to get identity management working for you. Arrange an obligation free workshop with our team.