Bringing Simplicity & Visibility to Access Certification
Written by Ken Baker
Simply put, meeting business security and compliance mandates can be extremely difficult. This is especially true when it comes to certifying that the proper identity and access management controls are in place and followed. Much of this difficulty comes from the fact that many organizations rely on manual processes for certifying compliance of user access to IT resources. These manual processes lead to complexity, coverage gaps, human errors, excessive time and money spent, and ultimately untrustworthy certification data.
To achieve trusted, enterprise level access governance and eliminate the problems associated with manual certification efforts, you need to implement an access governance maturity model comprised of the following key stages (See Figure 1.):
- Access Visibility of who has access to what and how they received access.
- Automated Certification and Controls that facilitate the determination of who should have access, who approved access, and whether policy and control objectives are being met.
- Role Management that simplifies the definition and maintenance of roles, measures role effectiveness and uses roles in a way to reduce the compliance burden on the organization.
- Access Request processes that provide an effective business level interface for access requests, implement preventative controls to ensure compliant request approvals, simplify access change management and speed up access delivery.
Novell Compliance Certification Manager—one of the three products that make up the Novell Access Governance Suite —makes it easy to get a complete, enterprise-wide view of all your user access data, letting you know exactly who has access to what.
Access certification is all about certifying that everybody who has access to certain IT resources should have access. But most organizations lack the visibility they need to easily, accurately and consistently document who has access to what. Often this is because the information regarding all their different users’ access privileges is embedded within a multitude of different information resources, such as directories, application user data stores, and other enterprise systems. Extracting that information manually from all the different data stores and then trying to consolidate it into a meaningful, easy to understand report can be quite a challenge.
For many organizations this manually collected information ends up in a spreadsheet containing long lists of user names with each user’s entitlements identified by some cryptic codes or definitions that only make sense to IT administrators or the people responsible for collecting the information. Seldom can such reports be easily or accurately deciphered by the business line managers that have to verify that each user has the appropriate accesses. As a result, the managers will often simply say “Yes” to all the accesses, in essence rubberstamping the report before forwarding it on to whoever is in charge of the organization’s compliance.
Novell Compliance Certification Manager—one of the three products that make up the Novell Access Governance Suite —makes it easy to get a complete, enterprise-wide view of all your user access data, letting you know exactly who has access to what. And then it provides that data in a business friendly context that enables business line managers to make intelligent evaluations and decisions regarding user access.
To simplify data collection, Novell Compliance Certification Manager provides out-of-the box collectors that on a regularly scheduled basis can automatically pull access entitlement, identity and role information from a variety of different target systems, such as Novell eDirectory, Active Directory, SAP, WebLogic and more. It can also pull access information from other data source types, including flat files, industry standard databases, LDAP directories, XML files and a variety of different applications. Once Compliance Certification Manager pulls the access information from your different data sources it aggregates, normalizes and correlates that information into a unified business context and view of your users’ access entitlement information.
Novell Compliance Certification Manager also makes it easier for you to determine who should have access to certain resources, as well as simplify approvals of access and make sure that compliance policies and access control goals are being satisfied.
Automated Certification and Controls
Novell Compliance Certification Manager also makes it easier for you to determine who should have access to certain resources, as well as simplify approvals of access and make sure that compliance policies and access control goals are being satisfied. It provides an automated process that ensures access is appropriate and compliant. It streamlines the review, certification and reporting process as well.
For example, the wizard based user-interface in Novell Compliance Certification Manager can guide you through the creation of review workflows, stepping you through the key information, criteria and actions that need to be part of different types of reviews that you might need to conduct. It helps you decide who should participate in a review, such as the entitlement owners or supervisors of any users included in a review.
Once you define a review, Novell Compliance Certification Manager can run the review on demand, on a scheduled date or based on a specific event. When a review runs, it sends all review participants an e-mail notification with a link to the review process interface. For example, supervisors might be presented with a list of their direct reports, showing a business friendly description of all their entitlements. It lets you use automated workflows that can immediately alert the proper people in your organization if potential violations have been committed.
One of the ways that Novell Compliance Certification Manager puts these access entitlements in a business friendly context is through the use of roles. For example, in an organization of a thousand users, you can group those users into different business friendly roles that you define. So, if you have one hundred roles, instead of having to look at and verify each of the individual one thousand user’s different entitlements, your business managers only have to verify that those business roles have the appropriate access.
Additionally, as part of the review, Novell Compliance Certification Manager can let you see the last time certain users accessed a certain system. This can be helpful in ensuring you have least privileged accesses in place, giving your users only the access they need to do their jobs and no more. For example, if Joe hasn’t accessed the vendor management system in the last six months, it will likely cause you to evaluate whether or not he needs access to that system. If you determine he doesn’t need access, from the review interface you can initiate an access change request to revoke that access. Based on the policy you’ve defined, that change request might be sent to the owners of the IT asset (i.e., vendor management system), a help desk system, or your automated provisioning system. (See Figure 2.)
Using standard and customizable business rules that enforce security and policy compliance, you can use Novell Compliance Certification Manager to conduct re-certifications based on events that could introduce compliance violations, such as when an employee changes roles or gains new entitlements.
Novell Compliance Certification Manager also includes an extensive set of built-in detailed, summary and customizable reports to further facilitate your compliance efforts. It also provides a set of dashboards with key risk indicators and metrics that can help your business and security managers easily evaluate certification and compliance status, as well provide insights on potential high-risk users and applications and access violations.
Each component of the Novell Access Governance Suite provides the operational simplicity and business visibility you need to improve your overall compliance efforts.
Role Management and Access Request
While Novell Compliance Certification Manager takes care of the first two stages of the access governance maturity model, the other two products that make up Novell Access Governance Suite address the model’s remaining two stages. For addressing Role Management, there’s Novell Roles Lifecycle Manager and for Access Request there’s Novell Access Request and Change Manager.
As mentioned before, the use of roles can greatly simplify your certification and compliance efforts. But defining and making sure you have the appropriate roles can be a challenge. Novell Roles Lifecycle Manager simplifies this effort through role discovery, modeling, analytics and full role lifecycle maintenance. It gives you visibility to patterns and logical groupings in your organization to assist in role creation and management. It helps you make sure you’ve assigned the appropriate access rights to your roles. (See Figure 3.)
Novell Roles Lifecycle Manager can also optimize your overall role structure so that you have fewer roles to actually certify, simplifying your overall certification process. One of the main ways it can do this is by eliminating or consolidating redundant roles. Any redundant roles you have add unnecessary complexity to your certification process. If you have a hundred defined roles and twenty of them are redundant, you’re not only having to deal with twenty extra roles, but you’re dealing with all the systems and applications entitlements associated with those redundant roles. Using Novell Roles Lifecycle Manager to eliminate those redundancies can result in significant reduction in your overall certification efforts.
The discovery and reporting tools in Novell Roles Lifecycle Manager also enable you to find any orphaned entitlements you might have. An orphaned entitlement is basically an access or authorized action that’s not tied to a specific role. Discovering these orphaned entitlements and then assigning them to a role further simplifies the execution and management of your compliance activities.
Novell Access Request and Change Manager, a recent addition to Novell Access Governance Suite, provides a business friendly interface that allows users to request access to a particular resource or system. It also provides a business friendly interface for the business manager that receives the request and has to decide whether or not to approve it. (See Figure 4.) It also has built-in compliance controls and policy checks that can warn the business manager of any potential compliance concerns associated with the request. For example, if a user makes an access request that violates SOD rules, that access request will automatically be flagged with that warning.
When a manager does accept a request, the workflow in Novell Access Request and Change Manager can forward that approval to your IT group, a help desk or your automated provisioning system. The workflow and self-service nature of the product help you eliminate IT bottlenecks, and ultimately lower your IT administration costs and streamline access delivery in a way that lets you maintain compliance.
With the goal of simplifying how information resources are governed and certified, the Novell Access Governance Suite addresses all four stages of the access governance maturity model – Access Visibility, Automated Certification and Controls, Role Management, and Access Request. Each component of the Novell Access Governance Suite provides the operational simplicity and business visibility you need to improve your overall compliance efforts. The suite simplifies access requests. It enables you to better manage your entire user entitlement lifecycle. It makes it easier to certify the compliance of all your roles and entitlements. And it helps you ensure that all the users in your organization always have the right set of entitlements.
Visit www.novell.com/products/accessgovernancesuite/to learn more about how Novell Access Governance Suite can bring simplicity and better business visibility to your compliance efforts.