Three Steps to Successful Identity Governance Administration

by Zain Rizvi and Dave Bennett

In the simplest of cases, Identity Governance Administration (IGA) for an application consists of three basic steps:

1. Generate reports that:

  • List in scope accounts that can access an application and the associated set of entitlements assigned to each account, and
  • Provide proof/validation that all in scope accounts and entitlements are captured in the report.

2. Provide the ability to review the set of entitlements assigned to each account and a process for revoking assigned entitlements where necessary.

3. Generate and present reports that demonstrate that the review process and revocations from the previous step were executed correctly.

However, our clients have significantly more complex environments where the above three-step process does not scale, nor address all their concerns. Manual reviews and revocations and use of spreadsheets can only go so far when you are dealing with multiple applications, thousands of accounts, and tens of thousands of entitlement assignments. We need to enhance the aforementioned three-step process to support these complex environments and their associated larger volume of data.

Instead of individually managing application accounts, we recommend the best practice of using a centralized identity management solution, such as Ping Identity Management. Note that we refer to users in the identity management solution as identities, and users in the applications as accounts. The identity management solution connects to the target applications, provisions accounts, and manages entitlement assignments to the accounts for identities. 

The process is initiated with a user access review campaign for a given application. We extract from the target application a report that provides the list of accounts with the set of entitlements assigned to each account for each user. This is similar to the three-step process above. Next, we generate a similar report from the identity management solution, and compare the two reports in an automated manner. Note that the report from the identity management solution only includes the identities and entitlements that are relevant to the target application and in scope for the review in question. This allows us to ensure that the identity management solution and the target application have consistent data so we can demonstrate that the review process is both accurate and complete.

At this stage, we employ an identity governance solution, we have been utilizing Ping Identity Governance (formerly the ForgeRock Cloud IGA), to review the set of entitlement assignments. The identity governance platform connects to the identity management platform instead of directly connecting to the target application. In this manner the identity governance platform can scope the focus of the review process in one of two ways.

  1. Specify the scope of identities, such as the list of identities specified in the previous step, that we are reviewing the set of assigned entitlements.
  2. Specify the list of entitlements for the set of identities that are assigned to those entitlements for which we are reviewing.

Since the identity governance platform connects to the identity management solution it allows us to specify the reviewer for each identity based on the identity data.  For example, we can specify an individual person to conduct the reviews for all identities, or the corresponding manager for each identity, or the owners of the entitlements. The reviewers also have the option to forward individual review tasks to others to ensure that they comply with segregation of duty policies. The identity governance platform offers remediation capabilities, so that if the reviewer revokes an entitlement for an identity, then the entitlement is revoked from the identity on the identity management solution as well as from the account on the target application. 

Once the review step is completed, we generate another pair of reports from the target application and the identity management solution to ensure that the data between the two of them is still consistent. Finally, we demonstrate that the user access review campaign was conducted correctly using three reports.

  1. The first report is the original report from that target application that provides the list of accounts along with the set of entitlements assigned to each account at the start of the campaign. 
  2. The second report lists every single review decision made by the reviewers. 
  3. The third report comes from the target application that again provides the list of accounts along with the set of entitlements assigned to each account, at the end of the campaign. 

These reports allow us to demonstrate the accuracy and completeness of the review process by:

  1. Comparing the first and second report, which allows us to ensure that every single entitlement assignment was reviewed during the campaign.
  2. Comparing the second and third report, which allows us to ensure that all revocations made during the review process were executed correctly. 

Once again, these comparisons are made in an automated manner.

The enhancements to the original 3 step process allow us to deal with complex and large scale environments for identity governance. 

In summation, we discussed complete identity governance administration processes for applications, i.e., user access review campaigns for all accounts and entitlements. Identity Governance solutions allow us to limit user access review campaigns to one or more individuals or scope the campaigns to a set of entitlements. Governance solutions like Ping IGA overcome the static limitations of spreadsheets by allowing reviews to be easily reassigned mid campaign.

Contact Nulli - Identity Management to learn more about Identity Governance Administration and how we can assist you with planning, deploying and achieving your identity governance goals.