A risk-based approach to managing access

Access governance is one of the hot button topics in the South African IT industry at present, mainly due to the promulgation of various legislations, one of which being the Protection of Personal Information (POPI) Act. While this trend is relatively new to this country, internationally, organisations have for some time been required by legislation to carefully govern who has access to corporate information. The beauty of this is that while the focus on access governance locally is fairly recent, internationally the technology is already very mature. This, of course, means that by partnering with international vendors that provide these solutions, local companies can immediately gain access to proven solutions.

Access governance, as the name implies, involves the implementation of a system that manages who has access to what information within an organisation. By understanding this, companies can then apply both detective policies, which will show who in the business has access to what information, as well as preventative policies, that can ensure the wrong people do not gain access to sensitive information.

“The most important aspect of access governance is its ability to allow for an access recertification process”

- Andrew Whittaker

Perhaps the most important aspect of access governance is its ability to allow for an access recertification process. The idea here is for a line manager to be tasked with regularly checking the access credentials of the employees under their control, and either approving or revoking the access that they have been assigned. In addition, they should be expected to review policy violations.

The trouble with this is that in a large enterprise, access sometimes has to be managed across hundreds or even thousands of different business systems, and it becomes difficult to effectively manage and identify areas of genuine risk, as these can easily get lost in the ‘white noise’ created by such vast and differing access requirements.
In such a situation, the enterprise cannot help but lose. After all, either the line manager is very effective at parsing through these multiple chains of access, in which case their efficiency and ability to do the rest of their job is greatly reduced, or they are not terribly effective at it and access ends up being granted to employees that really shouldn’t have it.

The answer to this challenge is to adopt a risk-based approach to access. By assigning risk categories to people within the organisation, based on an understanding of the role they perform within the business and the type of access they require to do their job, the recertification process is made much simpler. For example, someone who requires access to the financial system would be classified as a far higher risk category than employees that are members of an Exchange distribution list. Risk can also be assigned to policy violations, considering that there are always exceptions within a large enterprise.

An effective risk model allows the line manager to cut through all the white noise when it comes to the recertification process. Employees who fall in the High Risk category may need to be recertified on a weekly or even daily basis, and their line manager may have to individually recertify every piece of access these staff members have. Their access could also be reviewed by numerous senior managers, to ensure they are only granted access to those areas that are relevant to their individual jobs.

However, those classified as an Intermediate Risk would only be reassessed perhaps every quarter, while those in the Low Risk category would only need to be recertified perhaps once a year. Moreover, based on the risk category, the line manager would be able to perform bulk approvals for employees that are considered low risk.

While there can be little doubt that access governance solutions can add enormous value to a business, the only way for these to be truly effective is through the adoption of a risk-based model that identifies high risk areas within the business and ensures that the access granted to these areas is reviewed frequently and carefully.

Moreover, there is a growing importance being attached to the principle of risk in most large international enterprises. This focus on risk is being borne out in both national compliance legislation and internal corporate policies. This is particularly true in the US and in much of Europe. Considering how globalised business is becoming, if you want to do business with organisations of this nature, your company will need to meet these exacting risk and compliance standards.

Clearly, adopting a risk-based approach to access governance is not only in your organisation’s own best interests with regards to protecting your customer information and intellectual property, it is also a critical factor in doing business with companies around the world.