Description: All enterprise accounts and entitlements get disabled and removed based on the results of a governance process.
Benefit: Improves audit and compliance requirements. Reduces risk of breach due to too much access.
Implementation Approaches
- Automated De-provisioning through Directory Updates
- Automated De-provisioning Directly Triggered in the Application
- Manual Process
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
NIST SP 800-207; Zero Trust Architecture
- 3.1.1: The enhanced identity governance approach to developing a ZTA uses the identity of actors as the key component of policy creation.
- 6.3: Subject provisioning is a key component of ZTA.
| Title | Automated De-provisioning through Directory Updates |
| Technology Components | Identity Governance Administration (IGA) Access Management (AM) |
| Description | Governance System is set up to modify content in a corporate directory (AD/LDAP). Typical lifecycle events will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Governance System understands the directory content (users, user attribute, groups and group membership, etc) as they are related to specific applications and their accounts and entitlements. Governance System is integrated with the directory typically thru well known director interfaces to modify access accordingly. |
| Pre-requisites | Relevant applications are integrated to a directory for the purpose of user/entitlement management Directory is integrated with Identity Governance system allowing IGA to modify user/attribute/entitlement objects in the directory Directory is also integrated with Access Management system for the purpose of authentication & authorization Appropriate triggers have been implemented based on HR System policy or from the attestation process. |
| Supporting Member Companies | Fischer Identity, ForgeRock, Okta, Omada, Ping Identity, SailPoint, Saviynt, SecZetta |
| Title | Automated De-provisioning Directly Triggered in the Application |
| Technology Components | Identity Governance Administration (IGA) Access Management (AM) |
| Description | Governance System is set up to handle provisioning and deprovisioning of accounts and entitlements. Typical lifecycle events will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Governance System is integrated with the target application(s)/system(s) thru programming interfaces to modify access accordingly. |
| Pre-requisites | APIs are available in the applications for deprovisioning by an API client Relevant applications are integrated with Identity Governance system Appropriate triggers have been implemented based on HR System policy or from the attestation process. |
| Supporting Member Companies | Fischer Identity, ForgeRock, Okta, Omada, Ping Identity, SailPoint, Saviynt, SecZetta |
| Title | Manual Process |
| Technology Components | Identity Governance Administration (IGA) Access Management (AM) |
| Description | Typical lifecycle events will act as triggers for the governance system. Events such as application changes, role changes or user departure could all lead to deprovisioning of accounts and entitlements. Depending on the setup, Governance system is integrated with an internal ticketing system, email, and/or some form of collaborative system to generate a human workflow for app/business owners of the respective systems to carry out the deprovisioning task manually. |
| Pre-requisites | Ticketing system, email and/or some form of collaborative system is integrated with Governance system Appropriate triggers have been implemented based on HR System policy or from the attestation process Users responsible for manually deprovisioning access must be given sufficient details or instructions on how to modify account/entitlement information accordingly |
| Supporting Member Companies | Fischer Identity, Okta, Omada, SailPoint, Saviynt, SecZetta |
