Skip navigation
All Places > Products > RSA Identity Governance & Lifecycle > Blog > 2014 > June
2014

If the primary purpose of identity and access management is to ensure that users have only the entitlements they require to do their jobs, no more or no less, then the RSA IMG user access review (or "review" for the sake of brevity) is the primary instrument for supporting that purpose. Regularly scheduled reviews ensure compliance with access security policies in your organization. But that goal is undermined if reviews are not completed in a timely manner. (How long do you want someone with inappropriate access to retain that access?) Human factors come into play:

 

  • A reviewer may not be qualified to decide whether to maintain entitlements that are in violation of a user access or segregation of duties rule. In some cases, "exceptional access" can and should be maintained to users who have those entitlements. In other cases, they should immediately be revoked. In either case, the review process is best served by allowing a reviewer to delegate responsibility to another reviewer who is qualified and can address the review items.

 

  • Some reviewers simply do not or cannot complete their reviews on time. In either case, a review owner or a review monitor should be able to  delegate review items to someone who is available and who will complete the review on time.


Reviews can be configured to allow review participants — reviewers, review owners, and review monitors  — to delegate review items to someone else or simply relinquish responsibility for review items. Specifically, RSA IMG provides the following review delegation options that can be configured for a review:

 

  • Allow sharing of review (or owner/monitor) items — The reviewers or owner/monitors can share review items with other users.
  • Allow reassignment of review (or owner/monitor) items — The reviewers and owner/monitors relinquish review items and give them to others.
  • Allow unassignment of review (or owner/monitor) items — The reviewers and owner/monitors relinquish review items.

Another option, a review “escalation”, enables you to automate review reassignment. Here, you simply specify a "trigger date," which specifies when you want the escalation initiated, and the workflow that designates who the review should be assigned to. RSA IMG provides a default reassignment workflow that delegates the review to a reviewer's supervisor. You can create additional workflows to customize the reassignment process.

 

With these reassignment and delegation features at your disposal, you can ensure that your reviews are completed within a time frame that meets your access compliance policies. If you are a current RSA IMG user,  how have you used the review delegation features? Feel free to share. And readers, feel free to ask questions.

As a working adult, where do you go to stay current in your profession?  Where do you find the latest practices and methodologies?  The products and services you use in your daily work?  Or the latest releases and reviews?  Are you enrolling in formal educational programs at your local college or university to get a broad overview?  Or, are you going to training seminars regularly on your company’s dime and on your company’s time?

 

Most likely, as a working adult in 2014, your education and training style has shifted over the past several years to informal.  Informal education means that you’re learning on your own without a formal instructor or trainer.  Informal education today typically takes place online and often through Web 2.0 media, such as blogs, wikis, discussions, videos, and podcasts.   An online community of interest can be your one-stop shop for accessing various content specific to your topic.  Sure, you can visit several websites across the World “Wild” Web, but as an adult engaged in informal, self-learning, do you know whether what you’re reading is vetted truth, or simply someone’s wild opinion?  As an informal learner today, meaning-making comes from non-formal education, which you can only get from vetted, true professionals and experts.  But where do you find them?


If you’re interested in security and IAM (Identity and Access Management), a good online community to join is the RSA IAM Community.  Here, whether you’re simply interested in security or Identity and Access Management, or even if you’re already a loyal user of RSA products, you can learn more about various related security topics and specific RSA security products like IMG, Authentication Manager, and SecurID from experts.  Check out the videos, podcasts, expert technical blogs, and discussions there. You’re in good company with professionals inside and outside RSA who have bookmarked the IAM Community in their personal learning network (PLN), which they use for informal learning and share with colleagues.  Check it out at https://community.emc.com/go/IAM/ and add the URL to your PLN. See you online.

Identity Intelligence is a term you may have heard lately – and it represents the next level of IAM program maturity, for which many organizations are now aiming.  Robust identity intelligence can guide the right access decisions across the identity lifecycle, helping to minimize risk and enable compliance with internal guidelines and external regulations.  Doesn’t that sound like it could make your life easier?

 

There are three stages to fully harness the Identity Intelligence that exists in your organization.  The first step involves collecting accounts, entitlements and attributes, to fully unify your identities and produce rich identity context.  Once you have the visibility and context of all existing identities, you can start to put policies and rules in place to guide access decisions.

 

The second step is all about identity analytics.  Here, you can start to define key metrics and implement dashboards and reporting for better analysis.  For example, how many access reviews have you run in the past year?  How many access changes came as a result?  How long did it take to fulfill those changes?  Once you can dive deep into this analysis, you can uncover issues and determine what to focus on improving.

 

From there, the third stage involves building out an identity ecosystem and combining the various instances of intelligence across your organization: business, threat, identity.  Often the first step is to connect your authentication deployment with your identity governance deployment to incorporate governance into your access program.  For example, connecting governance to your single sign-on system will ensure that the access you are allowing is appropriate.  Connect your IAM deployment to your GRC deployment to improve incident response, automate continuous monitoring of identity controls, and manage access decisions based on application risk.  Connect to your SIEM deployment, for better incident investigation and threat remediation.  Connect to your DLP deployment to drive access reviews and business processes around unstructured data resources.  How else could you leverage identity intelligence in your organization?

 

Join this webinar to learn more about how to learn how organizations can use Identity Intelligence to cost-effectively and efficiently protect the business, accelerate business user productivity, and minimize risk across the enterprise.