Controls Intelligence in the Greater Whole

I was talking to a long time competitor/colleague/client/friend this week about identity governance and a variety of other identity topics. We were commenting that in some regards access certification and access policies have been stuck in bubble of amber: not a lot of innovation save the addition of some cluster analysis (marketed as AI.) In the course of the conversation I remember that a long time ago I had written a piece on the use of negative policy spaces for access governance. My buddy thought it would be fun to dig it up a repost it. So of I went to find this…

What’s funny (at least to me) is that what follows is a writing sample I used as part of the interview process to get my first analyst job at Burton Group. And that brought back a lot of memories…

So without further adieu, straight out of 2008, I bring you:

Controls Intelligence in the Greater Whole – Using Negative Authorizations to satisfy Audit Requirements and strengthen Positive Authorization Policies

Executive Summary

Whether conscious of it or not, no enterprise embarks on a controls exercise, be it controls definition, management, monitoring, or rationalization, unless that exercise addresses audit requirements.   Auditors and regulators have defined the backdrop against which a variety of corporate stakeholders must perform an ever-changing array of maneuvers to prove compliance.  Within this context, controls intelligence platforms and processes have developed to directly satisfy audit requirements.  In contrast, identity management technologies and other “compliance” tools are not truly aware of the constraints and requirements that auditors inflict upon organizations and are fundamentally not designed to meet those needs.  This piece will contrast the difference between controls intelligence platforms and their associated negative authorization policies against identity management technologies and their positive authorization policies, illustrating the appropriate use of both in the eyes of the auditors as well as the enterprise.

Continue reading Controls Intelligence in the Greater Whole

Thinking about Matt’s Simple Question: Correlating accounts and people

Matt Hamlin, over at Sun, mentioned a conversation we had last week about a topic in identity management which doesn’t usually get a lot of airtime: the correlation of accounts to people.  The exercise is the first step in answering Matt’s simple question of “Who has access to what?”  Matt writes:

This step is the foundation for Access Certification, Role Mining, Entitlements Management, Policy Evaluation, Identity Auditing, and numerous other custom services developed by our customers.

There were two major omissions in his list: password management and user provisioning.  The reality is the correlating of accounts to people is a requirement for all identity management exercises.  This correlation isn’t glamorous work and isn’t a one time affair.  None the less, it is crucial “Identity Gold” for identity management projects, but also as the foundation for risk mitigation exercises as well.

Here’s a tip to enterprises out there – ask your software vendors and deployment teams what capabilities they have to help facilitate this correlation.  Ask early and before you start down the path of an identity project.  Make it an on-going process governed by your overall identity management program.

I’ll be touching on this a bit in an upcoming Telebriefing I am doing.  On October 1st and 2nd, I’ll be giving a sneak peak of my research on access certification and will cover this and other topics.  If you are a Burton Group subscriber, you should check it out.  If you aren’t a BG customer, you should become one.  😉