IDSO-003: User accounts and entitlements are removed through governance-driven provisioning

Description: All enterprise accounts and entitlements get disabled and removed based on the results of a governance process.

Benefit:  Improves audit and compliance requirements.  Reduces risk of breach due to too much access.

Implementation Approaches

Security Frameworks

NIST Cybersecurity Framework 1.1

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
  • PR.AC-3: Remote access is managed

NIST SP 800-207; Zero Trust Architecture

  • 3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation.
  • 6.3: Subject provisioning is a key component of ZTA.
TitleAutomated De-provisioning through Directory Updates
Technology ComponentsIdentity Governance Administration (IGA)
Access Management (AM)
DescriptionGovernance System is set up to modify content in a corporate directory (AD/LDAP). Typical lifecycle events will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Governance System understands the directory content (users, user attribute, groups and group membership, etc) as they are related to specific applications and their accounts and entitlements. Governance System is integrated with the directory typically thru well known director interfaces to modify access accordingly.
Pre-requisitesRelevant applications are integrated to a directory for the purpose of user/entitlement management
Directory is integrated with Identity Governance system allowing IGA to modify user/attribute/entitlement objects in the directory
Directory is also integrated with Access Management system for the purpose of authentication & authorization
Appropriate triggers have been implemented based on HR System policy or from the attestation process.
Supporting Member CompaniesFischer IdentityForgeRockOktaOmadaPing IdentitySailPointSaviyntSecZetta
TitleAutomated De-provisioning Directly Triggered in the Application
Technology ComponentsIdentity Governance Administration (IGA)
Access Management (AM)
DescriptionGovernance System is set up to handle provisioning and deprovisioning of accounts and entitlements. Typical lifecycle events will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Governance System is integrated with the target application(s)/system(s) thru programming interfaces to modify access accordingly.
Pre-requisitesAPIs are available in the applications for deprovisioning by an API client
Relevant applications are integrated with Identity Governance system
Appropriate triggers have been implemented based on HR System policy or from the attestation process.
Supporting Member CompaniesFischer IdentityForgeRockOktaOmadaPing IdentitySailPointSaviyntSecZetta
TitleManual Process
Technology ComponentsIdentity Governance Administration (IGA)
Access Management (AM)
DescriptionTypical lifecycle events will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Depending on the setup, Governance system is integrated with an internal ticketing system, email, and/or some form of collaborative system to generate a human workflow for app/business owners of the respective systems to carry out the deprovisioning task manually.
Pre-requisitesTicketing system, email and/or some form of collaborative system is integrated with Governance system
Appropriate triggers have been implemented based on HR System policy or from the attestation process
Users responsible for manually deprovisioning access must be given sufficient details or instructions on how to modify account/entitlement information accordingly
Supporting Member CompaniesFischer IdentityOktaOmadaSailPointSaviyntSecZetta
Background

READY TO MAKE AN IMPACT?

Let's work together to help everyone become more secure.