IDSO-002: Privileged user accounts and entitlements are granted through governance-driven provisioning

Description: Creation of privileged user accounts and assignment of corresponding entitlements are based on the results of a governance process. The governance process should include appropriate business justification approvals and risk mitigation, as well as constraints on access determined by business requirements. Governance process is tracked for auditing purposes.

Benefit: Provides evidence of control over who has access to what resources that are required to meet security controls and compliance requirements, for example PCI, HIPAA, SOX, etc.

Watch the deep dive webinar to learn more about this security outcome.

Implementation Approaches

Security Frameworks

NIST Cybersecurity Framework 1.1

  • PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
  • PR.AC-3: Remote access is managed

NIST SP 800-207; Zero Trust Architecture

  • 3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation.
  • 6.3: Subject provisioning is a key component of ZTA.
TitleIGA Initiates Privileged Access Provisioning Workflow
Technology ComponentsIdentity Governance and Administration
Privileged Access Management
DescriptionUser initiates a request for privileged access from role and entitlement catalog. A workflow is initiated and is routed to appropriate approver(s) based on defined policy. Business case is reviewed, and approval is granted. Request and entitlements granted are logged for audit purposes. User access is provisioned to PAM tool. User gets privileged access per the policy and constraints defined.
Pre-requisitesRole and entitlement catalog has been built and populated.
Approval process is defined for each role and entitlement.
Policies are defined for what is considered privileged access.
Policies are defined providing conditions and constraints for privileged access.
Service accounts for authentication to PAM tool with rights to assign access.
Supporting Member CompaniesBeyondTrustCentrifyCyberArkFischer IdentityOmadaRemediantSailPointSaviyntSecZetta
Context TransferAccount to be granted privileged access and entitlement to be granted.
Title IGA Initiates Privileged Access Provisioning Workflow
Technology ComponentsITSM (IT Service Management)
Identity Governance and Administration
Privileged Access Management
DescriptionUser initiates a service request for privileged access from ITSM service catalog. A workflow is initiated and is routed to appropriate approver(s) based on defined policy in ITSM tool. Business case is reviewed, and approval is granted. Request and entitlements granted are logged for audit purposes. ITMS hands off to IGA to provision user access to PAM tool. User gets privileged access per the policy and constraints defined.
Pre-requisitesITSM service catalog has been built and populated.
Approval process is defined for each role and entitlement.
Policies are defined for what is considered privileged access.
Policies are defined providing conditions and constraints for privileged access.
Service accounts for authentication to PAM tool with rights to assign access.
Supporting Member CompaniesBeyondTrustCentrifyCyberArkFischer IdentityOmadaSailPointSaviyntSecZetta
Context TransferAccount to be granted privileged access and entitlement to be granted.
Background

READY TO MAKE AN IMPACT?

Let's work together to help everyone become more secure.