Capability Maturity Identity and Access Governance

Earlier in my career, I held several positions, inside and outside of the Big 4, where I was relied upon to manage or respond to an organization’s IT Audit. It wasn’t too far into my career when I had one of those a-ha moments that altered the course of my work in this industry and changed my mindset as to how I would dedicate my efforts moving forward. I noticed auditors are well trained at finding problems, and in rare cases some of them are even adept at providing solutions. However, I continually observed their continued inability to see the forest from the trees that has caused so many companies to fall short of truly tackling the problems at their doorsteps with inspired vision.

It isn’t necessarily the auditor’s fault that a company doesn’t find a way to improve their processes or design controls that will ensure the successful execution of a processes’ intended design. For decades, organizations have focused on getting over that low bar the auditor has decreed to be the minimum passing grade. For years, organizations have let their auditors dictate what should be considered as important without ever taking the time to define what’s important on their own. You may be reading this thinking that’s not true about your company, but in my experience, it probably is and your company is focused more on meeting minimum standards than they are about developing mature programs that improve the company’s ability to protect from and respond to cybersecurity events; whilst remaining agile to adapt to unexpected nuances that could alter their projections or the achievement of their goals.

It often doesn’t take very much to derail the mechanisms in place that have been designed to help a company stay on track towards achieving its goals. A smart company has analyzed what could go awry for each business activity within every process designed to help the company meet their objectives. A recent study shows that almost 75% of all frauds committed at over $1M had some internal involvement. I would venture to guess many of the companies that were subject to this fraud believed their control environments were effective. Yet, fraud still happened. Why? Is it about culture? Must we expect that there are always going to be a few bad apples? Were their controls ineffective? Was their approach to security to respond instead of to prevent? There are probably signs that each of these reasons are partially to blame. What can a company due to avoid these mishaps going forward by way of efficient and cost-effective means when that company doesn’t really know the full extent of their security posture in the first place?

Developing mature security programs

There are a lot of different capability maturity models (CMMs) out there that a company can use to provide a roadmap on how to improve and mature their security programs. The key is putting the program in place and having appropriate governance to not only guide these programs but to also legitimize and provide tone from top support. For many companies, this starts with understanding their “As-Is” processes across the several information security domains. Before a company can understand where they would like to be tomorrow, they need to make an exhaustive assessment of where they are today. Sounds simple, but you would be surprised at how few companies have performed exhaustive risk assessments across their enterprise and more surprised by the amount of companies that have performed such assessments and have done little to address their vulnerabilities months after their assessments have been performed. An example of a capability maturity model is provided in the figure below.

Saviynt capability maturity model

Mature programs are in a constant state of optimizing their controls to prevent cybersecurity events from happening.  Immature programs are most often reacting to findings or events. They respond to audit comments by purchasing point solutions to rectify exceptions on an ad-hoc basis. Rarely do you see these organizations building IT programs with steering committees and built-in governance activities aimed at going beyond minimum standards or passing grades for different regulatory initiatives.

Software products, such as Saviynt, can be very effective in accelerating a company’s maturity level for these domains and can drastically improve an organization’s security posture in mere months. The controls bulleted below show the capability to provide comprehensive coverage for multiple Identity and access management controls. Most organizations tackling these issues today have required multiple products to provide a comprehensive solution. Now there are options that can provide all of these controls within one product lessening the burden of administration and cross-application capabilities that are found when point solutions are utilized to solve a systemic problem.

Here are some of the key areas a product, such as Saviynt, can help solve these problems by enhancing the overall security posture and not just meeting the compliance checklist:

  • IDENTITY ACCESS GOVERNANCE

– In a recent survey conducted by Gartner on products in this space, Saviynt scored the highest amongst all other companies providing these services. Saviynt’s product has enabled several organizations to provision and govern access across scores of applications within their enterprise.

  • RISK-BASED ACCESS CERTIFICATION

– Saviynt utilizes customizable workflows that allow multiple levels of approval depending on the risk associated with the access being assigned. Companies no longer have to worry about where to find approvals in order to certify access as it is all performed within the Saviynt product.

  • SOD ANALYSIS AND REMEDIATION

– Saviynt offers an extensive library of SoD and critical access rules across a multitude of applications(SAP, SAP Hana, Oracle EBS, Oracle ERP Cloud, PeopleSoft, JD Edwards, Microsoft Dynamics GP, Workday, Salesforce, Epic and many others). There are no other products in the marketplace that can singularly address SoD analysis for as many applications within one product.

  • ROLE DESIGN AND MANAGEMENT

– Saviynt offers a comprehensive solution that combines top-down and bottom-up techniques for managing role design and has the unique ability to define roles according to business functions. This ensures effective SOD validation by identifying the permissions that fall outside the role framework and applying those controls for exception access.

  • PRIVILEGED ACCOUNT AND EMERGENCY ACCESS MANAGEMENT

– Saviynt manages emergency, break-glass procedures to provide time-bound, privileged access (on demand) without having to add more point solutions to satisfy requirements. Additionally, when privileged access is granted, Saviynt can provide visibility into transacted activities to provide assurance nothing inappropriate was transacted, as well as alert control owners in case of failure so that process is not reactive and evaluated months later.

  • TRANSACTION MONITORING

– Saviynt provides several analytics that can easily be customized to provide preventive transactional monitoring that is typically only provided by detective reports or audit logs. Fraud Risk Assessment analytics or basic transactional analytics are provided real time for process owners to assimilate.

  • CONFIGURATION & SECURITY CONTROLS MONITORING

– Saviynt provides a framework with out of the box controls to meet different compliance mandates, as well as rich analytics dashboards with security controls that includes configuration monitoring to identify potential security risks in critical applications as they occur in real time.

To catapult an organization’s capability maturity across information security domains, such as Identity and Access Governance, solutions that address several control objectives in a cost and time effective manner are what organizations are demanding. Products, such as Saviynt, that have been highly touted by organizations (e.g. Gartner) to bring such capabilities to market are in great demand. Costly point solutions that address only a portion of an organization’s enterprise are quickly fading and these software companies are scrambling to adapt to customers that demand more than what they can provide.

Jeff Purrington

About author

Jeff Purrington, Director of Product Management at Saviynt, has over 20 years of experience in technology, audit, risk, and controls. His expertise is primarily focused around ERP controls and information security programs aimed at achieving compliance with regulatory initiatives such as SOX, HIPAA and PCI-DSS.

Leave a Reply

Your email address will not be published. Required fields are marked *