Category Archives: Access Governance

Aveksa Named a Leader in Gartner Magic Quadrant

Posted on January 8, 2012 by | Leave a comment

We’re pleased to announce that Aveksa was named a Leader in the new “Magic Quadrant for Identity and Access Governance”, published last month by Gartner. In the report, the authors (Gartner Analysts Earl Perkins and Perry Carpenter) state: “managing identity and access is more than an operational concern. Rather, it requires governance of identity and entitlement life cycles in the enterprise.”

They also note that the need for (and recognition of the need for) identity and access management governance is growing – they estimate that IAG-led projects will double from one-third of all IAM projects, to two-thirds by 2013.

We’re happy to have been named a leader in this report, and are grateful to our customers — the reason for our success.

→ Leave a comment

Posted in Access Governance, Analyst Reports

Tagged ,

Account versus Entitlement Reviews (part 2)

Posted on December 6, 2011 by | Leave a comment

Continuing from my previous entryon this topic, I’m continuing the discussion  about different approaches toward capturing user entitlement information, specifically considering the merits of doing so at the account level versus at the entitlement level. Typically, having a system that provides more insight into the details of which application (or data) entitlements a user has is better – so that the appropriate people in the organization can make better, more informed, and more granular access decisions.

But, in two scenarios, it does make sense to capture and use data just at an account level. The first situation is in a period of transition – where the organization may not yet have the infrastructure or capability to capture, normalize, process, and present detailed entitlements to reviewers (or to users requesting access).  This is a perfectly fine approach, and can be quite useful as a way to put in place business processes for review or access request, and to begin to familiarize end users with them – as long as there’s a concrete plan to ultimately move to reviewing and requesting at an entitlement level. These shouldn’t be left indefinitely at an account level – it simply doesn’t provide enough visibility or control, isn’t audit-proof, and will likely lead to a false sense of security.

The second scenario is when the information about an account’s existence is in fact sufficient for its designated purpose.  For example, one of our customers keeps track of which employees have accounts on their mainframe system. None of the applications on the mainframe are subject to entitlement reviews, so they don’t need to capture the entitlement details. Instead, they use the account information as part of their Leaver process – so that when a person departs the organization, IT has a clear view of whether or not a mainframe account needs to be deprovisioned, and can act accordingly. This is a simple, yet effective scenario, and a great example of the value of having an Access Management Database (XMDB) with complete information about identities and access, even beyond traditional focus of access governance systems

In general, of course, organizations need to capture and operationalize with a detailed view of user entitlements, in order to meet their access-related security and compliance goals.

→ Leave a comment

Posted in Access Governance

Tagged

IT Business Edge: Making It Easier to Do the Right GRC Thing

Posted on November 22, 2011 by | Leave a comment

Here’s a link to a new article in IT Business Edge, summarizing a discussion with Aveksa CEO Vick Vaishnavi.  In this article, the author succinctly explains the challenges around governing user access, and how Aveksa’s solutions can help improve security and efficiency.

 

 

→ Leave a comment

Posted in Access Governance, Media Coverage

Tagged ,

Account versus Entitlement Reviews

Posted on November 3, 2011 by | 1 Comment

In my role at Aveksa, I’m fortunate enough to be able to talk to customers and prospective customers on a regular basis. I truly enjoy meeting these folks, asking a few questions, and learning about their Identity Management priorities, challenges, and the business and technology drivers behind them. People love to talk about what they do, and always seem happy to share.

One of the things I’ve noticed periodically is that organizations will review user access at the account level – making access decisions based on whether an individual has an account in a given application, and not on what specific capabilities they have within the app. This is arguably better than nothing, but also arguably worse than nothing!

I’ve tried to summarize the pros and cons of such an approach below:

Access Reviews at the Account Level

Pros

  • Satisfies “checkbox” audit requirements
  • Will remove some unauthorized access rights
  • Increases awareness of this application from a security perspective
  • Establishes processes for account data collection, and ownership of review process

Cons

  • May not satisfy auditors’ requirements
  • Cannot distinguish scope of user access rights
  • May lead to false sense of security

While access certification at the account level is less than ideal, on balance it can be quite useful as a transitory state, to help the organization begin to establish access governance processes, ownership, and accountability. For most applications and resources, it shouldn’t be considered as a desired end state**.

The good news is that all the enterprises I’ve spoken with recognize that the correct approach is to perform access reviews at the entitlement level, and are determined to accomplish this.

** as always in life and computers, there are exceptions! I’ll be writing about this in an upcoming blog posting, under the category of “when doing a bad thing is good”

→ 1 Comment

Posted in Access Governance

Tagged

Introducing Access Fulfillment Express

Posted on October 19, 2011 by | Leave a comment

Today, all of us Aveksa are pleased to announce a new product offering, Access Fulfillment Express™ (which we affectionately refer to as AFX). We’ve designed and built this product to address what we see as a clear need within our customer base, and in the Identity Management industry in general – a way to eliminate the cost, complexity, and frustration typically associated with provisioning implementations.   Talking to customers, analysts, and other influencers, we’ve seen this frustration, and believe that the fundamental problem is that typical provisioning systems intermingle business logic and integration logic, and rely on a coding-centric implementation approach.

The result is that implementations take on the negative characteristics of point-to-point integration projects, where business policies (such as who should have access to what) are implemented at the same architectural layer, and with the same language, as integration mechanics (such as the mapping of a message to a set of application API calls).  We believe differently — that the business logic belongs at the access governance layer – it’s the only place with full identity context, with the ability to define rules and processes that are applicable to business users, and is independent of the technology and mechanics of target systems. And, that such systems should avoid the need for custom coding, and instead provide a configuration-centric solution.

Consider, for instance, the creation of a rule that controls the approval process for a user’s request for application access.  This rule should be able to take into consideration attributes of the requested entitlement (such as its sensitivity), attributes of the requesting person (department, role),  and full identity context (what other entitlements does this person have, and will this new one violate any SoD policies?).  This rule should not be in any way connected to how the system integrates with the target application (which after all can and likely will change over time), and should definitely not be hard-coded in a programming language (thus requiring a software engineering cycle to make even minor adjustments).

The integration layer of AFX is based on a loosely-coupled, open approach – using a well-establish communication architecture, the Enterprise Service Bus (ESB).  By leveraging an open source ESB, and by publishing both the message format and source code for the adapters used with AFX, enterprises can embrace AFX with full confidence in the solution’s extensibility and flexibility, without fear of investing in a proprietary, closed architecture.

In short, we believe that the combination of cleanly separating business logic from integration logic, and leveraging an open integration platform, will provide enterprises with the reduced costs and improved efficiency that they’ve been asking for. We’ll be writing more about AFX over the coming months, and look forward to discussing it with you.

→ Leave a comment

Posted in Access Fulfillment, Access Governance, Identity Management

Tagged , ,