In today's increasingly digitized business environment, transitioning from on-premises infrastructure to hybrid ecosystems involving legacy enterprise resource planning (ERP) software, Software-as-a-Service (SaaS) applications and various public cloud providers is commonplace. As this shift occurs, it is critical that organizations pay attention to the significance of governance, risk and compliance (GRC) in their identity and access management (IAM) journey. Add evolving regulatory requirements1 to this mix and the importance of establishing visibility, governance and security across the entirety of the application risk landscape becomes more apparent.
Bridging the Gap
IAM serves as the fundamental policy framework that governs how users obtain the requisite access to vital systems, adhering to a precise methodology and timeline.2 For example, IAM policies might include the principle of least privilege, which ensures that users only have the access necessary to perform their roles; access control policies, such as role-based access control (RBAC) or attribute-based access control (ABAC), which determines how access is granted based on user roles or attributes; and life cycle management policies, which dictate when and how access is granted, changed or revoked as a user's status changes within the organization.
Identity governance and administration (IGA), an advancement of IAM, fuses these policies with solutions that enable the automation of access provisioning and review. IGA possesses a suite of features that make this possible, including ingesting data from the human resources department as the source of truth to ensure accurate and updated user information, birthright provisioning for automatically assigning basic access rights based on position or department, and technical rule provisioning for more specific or complex access rights. In addition, automated access provisioning and deprovisioning streamline the onboarding and offboarding access management process, and certifications enable periodic review and validation of user access rights.
Navigating the intricacy of user access in today's fluid digital environment necessitates an additional component: the combination of IGA and access controls, often referred to as application GRC. This integration amplifies automated provisioning by concurrently monitoring and managing the risk associated with the granted access. In terms of the capability maturity model (CMM), a development model that describes the progression of an organization's processes over time, this incorporation represents a significant leap forward.
IAM establishes the procedures for moving away from initially ad hoc, unstructured and reactive processes toward defined, documented and repeatable processes. IGA builds on this foundation, transforming these processes into more defined and proactive ones by leveraging automation. Finally, the integration with application GRC moves the organization further along the CMM scale toward optimized processes, which should be continuously monitored, measured and improved to effectively manage user access risk.
Navigating the intricacy of user access in today's fluid digital environment necessitates an additional component: the combination of IGA and access controls, often referred to as application GRC.
Harnessing GRC Management in Complex IT Architectures and SoD Scenarios
Managing user access in separate applications that each have their own security rules can be tricky. Consider an example of an employee who has had different roles in the same organization over time. With each new role, this person might have gained more security permissions in systems such as JD Edwards or SAP. The more permissions they have, the higher the chance of fraud or breaking a segregation of duties (SoD) rule, which says that no one person should have control over 2 conflicting business tasks.
To make this example even clearer, imagine that this employee also has access to a different system, such as PeopleSoft, because of work on a project. Now they have access across multiple systems, and keeping track of what they can do becomes more challenging. They might be able to approve a purchase in one system and record the payment in another, which breaks the SoD rule and can lead to problems.
There are tools that can help lower this risk by displaying details about user access and what the users are doing with their access, but often, these tools only show part of the picture, especially when it comes to complex security models and multiple applications, or are siloed into addressing only a singular application. As organizations implement more solutions, it becomes more difficult for security and compliance teams to manage who has access to what across all the different applications. This is where a cross-application GRC solution becomes critical in facilitating the visibility of user access assignments within and across numerous applications to effectively support governance and security processes.3
The Increasing Importance of Cross-Application GRC
As more organizations move to the cloud, the task of managing security within and across different applications becomes increasingly complex. Each application may have its own unique security model, making it challenging for IT teams to maintain a consistent view of access rights and potential risk. Integrating GRC into the organization's processes can help alleviate this complexity.
With GRC integration, organizations can centralize their risk management efforts, giving them a holistic view of security and compliance across all their applications. This unified approach can provide greater visibility into potential SoD issues, enabling the organization to identify and mitigate risk before it leads to security incidents or breaches. In addition, GRC integration allows for continuous monitoring and assessment of risk, ensuring that the organization's security posture remains robust even as its application landscape evolves.4
M&A Challenges and the Role of Identity and Access Governance
Mergers and acquisitions (M&A) are often exciting times for an organization. They indicate growth, expansion and the potential for future success. However, the process of merging or acquiring can also bring about a host of challenges, especially when it comes to managing business processes and user access. The influx of new users, each with their unique roles and access requirements, can be overwhelming for IT teams. Add in the need to reevaluate SoD rules due to introducing new processes, and it is easy to see how mistakes happen and compliance issues might arise.
GRC tools can help organizations assess and understand this new risk landscape and ensure proper governance. These systems can significantly simplify this transition by automating the process of assigning and tracking user access rights and reducing the risk of errors that could lead to security vulnerabilities or breaches. This holistic approach to GRC significantly mitigates the risk of potential breaches or noncompliance penalties and ensures that the M&A process results in an integrated, compliant and secure enterprise.
Confronting Elevated Access Challenges With GRC
Although IGA tools can provide a robust framework for managing access rights, they can sometimes fall short when overseeing elevated access. These are the super users with the ability to bypass normal access controls and whose activities can pose a significant risk if not properly managed. Here, GRC integration can offer additional control and visibility.
GRC solutions offer useful reports on high-level access activities. They help organizations identify who has too many permissions or who is using sensitive permissions more than necessary. This is possible with the help of 2 tools: emergency access management and sensitive access risk reporting.
The idea is to limit users' access, allowing them to have only the necessary permissions to perform their daily tasks. However, if a user temporarily needs higher access for a specific task or in an emergency, this can be managed through an emergency access management process.
With this process, the user's request for additional access is approved, monitored and reviewed. This way, users can get the access they need for special situations without the risk of having too many permissions on a regular basis, keeping the system secure and complying with the organization's policies.
Adding CCM to a GRC strategy is not just a good security practice; it is a proactive way to prevent problems before they happen.
Furthermore, GRC solutions can provide in-depth SoD risk analysis, identifying potential conflicts that can arise from granting elevated access. By adding this additional layer of control, GRC solutions create a more secure and compliant environment, ensuring that elevated access is carefully managed and monitored.
Continuous Controls Monitoring: The Heart of an Effective GRC Strategy
Adding continuous controls monitoring (CCM) to a GRC strategy is not just a good security practice; it is a proactive way to prevent problems before they happen. CCM tools never stop checking the security of an organization's systems. They alert the organization if anything unusual happens or if there is a risk of a problem. This can include anything from unauthorized access attempts to changes in super user behavior. It is like having a security guard who is always on duty.
These CCM tools work hand in hand with IGA and GRC tools. They ensure that only the right people have access to certain systems, and everyone follows the rules. They also help spot any unusual activity, even among super users. With CCM, an organization can feel confident that its systems are secure and that any potential issues will be dealt with promptly. This way, they can shift their focus to their work.
What to Look for in a Compliance Solution
With so many options available in the market, it could be a challenge to shortlist solutions that not only meet current security needs but can also scale with the business and accommodate new compliance regulations. There are 3 key capabilities that can have a major impact on IGA and GRC initiatives:
- Process automation—Most compliance and audit-related activities are repetitive in nature, and automation plays a key role in enforcing policies at the provisioning level. It also helps streamline access reviews and continuously monitor user access for potential SoD conflicts while providing options for mitigation. Automation also translates into direct and indirect cost savings across IT, security and compliance departments.
- Cross-application capabilities—Having the ability to provision users, recertify access and manage SoD across applications with a centralized rules engine enables consistent compliance across the application landscape. Cross-application capability also reduces the burden on IT and provides compliance and security teams with a full view of risk, which, in turn, helps prioritize remediation and mitigation.
- Continuous monitoring—Instead of relying on periodic audits to detect compliance deviations after the fact, continuous monitoring of both controls and user activity within applications enables organizations to detect violations and suspicious activity as they happen. It also provides compliance managers with a clear view of key control activities and ensures that they are performing as intended while providing senior executives with visibility into their organization’s risk, security and compliance status.
Conclusion
Achieving comprehensive protection during a cloud transition may seem complicated, but it is possible with the right tools. IGA, IAM and GRC are critical components of a robust security strategy. IAM manages user access, IGA enhances efficiency through automation and GRC provides continuous risk management. These elements, along with real-time surveillance through CCM, strengthen an organization's ability to manage risk effectively.
When selecting a compliance solution, it is essential to consider features such as process automation, cross-application functionalities and continuous monitoring. These features enable comprehensive management of user access rights, consistent compliance across applications and a complete view of the organization's risk landscape.
Although the journey toward cloud transition security may seem daunting, the right strategies and tools can bring significant benefits. With effective risk management, increased efficiency and growth promotion, organizations can ensure that their digital environments remain secure and compliant, ready for the future's evolving demands.
Endnotes
1 Public Company Accounting Oversight Board (PCAOB), AS 2110: Identifying and Assessing Risks of Material Misstatement, USA, 2010
2 Puterbaugh, M.: “Governance Risk and Compliance (GRC): A Complete Guide,” Pathlock, 10 March 2023
3 Pandey, P.; “Access Governance Is Critical for Preventing Phishing Attacks,” Pathlock, 18 May 2020
4 Pathlock, “Four Types of Internal Controls Weaknesses and 5 Ways to Fix Them,” 12 February 2023
Keri Bowman, CISA
Has more than 14 years of experience leading risk and governance management program implementations, performance improvement initiatives and product management and development. This includes translating business needs and requirements into project scoping and execution, IT audits, ERP implementations and GRC tool selection and implementation. She is passionate about providing businesses with practical takeaways to consider and assisting them in building, implementing and successfully maintaining governance programs. She works with the IAG product team at Pathlock, building the future of converged risk, compliance and cybermanagement solutions.