A true access governance platform extends the reach of existing provisioning systems to provide an enterprise-wide view of entitlements in language business managers can understand. When integrated with a provisioning system, access governance solutions can dynamically and automatically change entitlements to avoid regulatory or security lapses, and ensure the organization can pass internal or external audits.
Where provisioning falls short
Provisioning systems automated what had become a cumbersome process of managing the lifecycle of user accounts which were shared or used by multiple applications. These provisioning systems connect to user directories or account repositories to establish, for each user, their log-in credentials, their profile attributes (such as name, title, department and office) and the group memberships that enable the user to access certain applications.
With this information, a provisioning system can tell who a user is, the accounts each user maintains and the associated account attributes and group memberships. However, it cannot determine the user’s entitlements – the critical details of exactly what each user can and cannot do with the enterprise’s applications and data. That is because applications, hosts and shared security solutions across the enterprise rely on their own policies and infrastructure to bind user accounts to application access entitlements.
It is these specific policy bindings that assure, for example, the proper separation of duties (such as those that keep the same employee from submitting and approving an expense report) or that block an unauthorized employee from seeing a customer’s credit card numbers.
Provisioning systems have no knowledge of these applications and systems or of the account-to-entitlement policy bindings. This infrastructure is usually visible to and accessible by only the IT staff, not business managers. As a result, IT security teams and application owners each use their own ad-hoc solutions such as spreadsheets to track entitlements, tag them with business descriptions and certify access.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.