Bringing Simplicity & Visibility to Access Certification
Written by Ken Baker
Simply put, meeting business security and compliance mandates can be extremely difficult. This is especially true when it comes to certifying that the proper identity and access management controls are in place and followed. Much of this difficulty comes from the fact that many organizations rely on manual processes for certifying compliance of user access to IT resources. These manual processes lead to complexity, coverage gaps, human errors, excessive time and money spent, and ultimately untrustworthy certification data.
To achieve trusted, enterprise level access governance and eliminate the problems associated with manual certification efforts, you need to implement an access governance maturity model comprised of the following key stages (See Figure 1.):
- Access Visibility of who has access to what and how they received access.
- Automated Certification and Controls that facilitate the determination of who should have access, who approved access, and whether policy and control objectives are being met.
- Role Management that simplifies the definition and maintenance of roles, measures role effectiveness and uses roles in a way to reduce the compliance burden on the organization.
- Access Request processes that provide an effective business level interface for access requests, implement preventative controls to ensure compliant request approvals, simplify access change management and speed up access delivery.
Novell Compliance Certification Manager—one of the three products that make up the Novell Access Governance Suite —makes it easy to get a complete, enterprise-wide view of all your user access data, letting you know exactly who has access to what.
Access certification is all about certifying that everybody who has access to certain IT resources should have access. But most organizations lack the visibility they need to easily, accurately and consistently document who has access to what. Often this is because the information regarding all their different users’ access privileges is embedded within a multitude of different information resources, such as directories, application user data stores, and other enterprise systems. Extracting that information manually from all the different data stores and then trying to consolidate it into a meaningful, easy to understand report can be quite a challenge.
For many organizations this manually collected information ends up in a spreadsheet containing long lists of user names with each user’s entitlements identified by some cryptic codes or definitions that only make sense to IT administrators or the people responsible for collecting the information. Seldom can such reports be easily or accurately deciphered by the business line managers that have to verify that each user has the appropriate accesses. As a result, the managers will often simply say “Yes” to all the accesses, in essence rubberstamping the report before forwarding it on to whoever is in charge of the organization’s compliance.
Novell Compliance Certification Manager—one of the three products that make up the Novell Access Governance Suite —makes it easy to get a complete, enterprise-wide view of all your user access data, letting you know exactly who has access to what. And then it provides that data in a business friendly context that enables business line managers to make intelligent evaluations and decisions regarding user access.
To simplify data collection, Novell Compliance Certification Manager provides out-of-the box collectors that on a regularly scheduled basis can automatically pull access entitlement, identity and role information from a variety of different target systems, such as Novell eDirectory, Active Directory, SAP, WebLogic and more. It can also pull access information from other data source types, including flat files, industry standard databases, LDAP directories, XML files and a variety of different applications. Once Compliance Certification Manager pulls the access information from your different data sources it aggregates, normalizes and correlates that information into a unified business context and view of your users’ access entitlement information.
Novell Compliance Certification Manager also makes it easier for you to determine who should have access to certain resources, as well as simplify approvals of access and make sure that compliance policies and access control goals are being satisfied.
Automated Certification and Controls
Novell Compliance Certification Manager also makes it easier for you to determine who should have access to certain resources, as well as simplify approvals of access and make sure that compliance policies and access control goals are being satisfied. It provides an automated process that ensures access is appropriate and compliant. It streamlines the review, certification and reporting process as well.