Governance

Governance exposes the identity management environment to oversight within an organisation’s management structure.  It is important that management weigh the cost of potential breaches with the cost of implementing a robust an appropriate solution.  The good news is – this is relatively easy these days with most vendors providing governance features “out of the box”.

Keeping track of who’s accessing your protected resources is generally this first step.  Your identity management solution should provide reports that indicates how many users, where from and what type, are logging onto your infrastructure.   Monitoring authentication failures is also important with system reporting on the number and type of locked accounts occur over a specified period of time.

One important component of governance is a re-certification process to priodically verify users have adequate, and not excessive, entitlements. A good governance process will ensure the chronic problem of poor de-provisionong users and contractors is eliminated. 

Policy infractions are also important.   A policy might be as simple as “the organisation’s documents repository cannot be accessed from an external user” or it can be quite complex “if a user of the Finance application issues a purchase order, that person cannot authorise a remittance in payment of the related invoice”.  Governance should require reporting on policy infractions for action by the appropriate managers.

Another feature of a good governance system is a good log aggregation tool.  Aggregation of system logs from disparate systems enables the monitoring and diagnostic task which is seminal to a good governance capability.

The ideal situation is the integration of your identity and access management environment with your security information and event management system.  SIEM systems alert to situation such as as excessive use, out-of-hours access, historical inconsistencies and configuration change events.

Governance is not difficult – it just needs knowledgeable and determined management to “lock the gate”.