Application Access Governance (AAG) is Saviynt’s Governance, Risk, and Compliance (GRC) solution that protects data security and privacy by setting access controls that limit users’ access to the organization’s on-premises, hybrid, or cloud services, systems, networks, or software. The solution helps organizations achieve compliance across all cloud and on-premises applications — and provides organizations with cross-application GRC capabilities. These additional features expand on typical GRC solutions to support multiple ERP environments.
The ultimate goal of any GRC model is to create standardized, measured, controlled, repeatable processes that allow for continual process improvement and optimization. To do this, we use the Capability Maturity Model as a guide to setting up and maintaining a well-run risk environment. Organizations don’t have to implement AAG for every application all at once. They can begin with their key financial system, for example, and then add relevant and interactive systems that are in scope for SOX, HIPAA, etc. This additive approach can continue until they have addressed the full range of their environment.
To understand an AAG implementation let’s break the Capability Maturity Model into three phases: Get Clean, Stay Clean, and Optimize.
“Getting Clean,” is achieved by establishing risk rulesets, executing detective risk reports and usage analysis, and documenting mitigating controls.
The risk ruleset tells you when you have a Separation of Duties (SoD) or a sensitive access risk. You can address the risks in SoD reports through either mitigation (applying a control to monitor risk for users) or remediation (removing the access causing the risk). And then, you will need to document the controls that help you address those risks.
Steps in the Get Clean phase
To meet the goal of a standardized and measured risk environment, you will need to assess the current risk environment for single and cross-application SoDs, establish a risk management approach, and address the risks detected in the current environment. The result is a clean state, meaning you have no unknown risks in your environment. Risks have been quantified and addressed, either by removing the risk through remediation or by addressing it with a mitigating control, which will monitor it for you. Once you’ve done that, you need to stay clean.
Now that you’ve done the detective work, you can “Stay Clean” by moving forward into an automated provisioning and risk management process. This step enables you to implement preventative risk checks during access provisioning, ensuring that you’re addressing the risks of anyone who’s coming in or moving around in the business in a preventive and proactive manner.
To succeed, you’ll need a solution that ensures no stale access remains assigned for users as job responsibilities change by revalidating their access on an audit-approved frequency with access certifications (also called User Access Reviews or UARs). With automated provisioning and risk management processes, you can address joiner, mover, and leaver events in access requests workflows – through access provisioning and deprovisioning.
Steps in the Stay Clean phase
For example, when someone changes jobs (a mover) within an organization, they may get their new access but their legacy access isn’t removed, which increases risk in the environment. By using access certifications on a standardized basis, that access is reviewed and reapproved or removed. So a solution that offers automated provisioning and access reviews keeps your access clean and removes anything that’s stale.
Another scenario involves utilizing emergency access requests, also referred to as firefighter or elevated access requests. Such requests are granted on an emergency basis and are rescinded when the emergency situation is resolved, reducing risk. Regular access certification and use of emergency access management processes ensure that no standing elevated access is allowed and that critical access is limited, which keeps the environment secure. Again, as your process matures and you begin managing all of your users, you can review essential access more closely.
Another critical capability to help you “stay clean” is usage tracking. Usage tracking ensures access requests and recertifications get reviewed to determine if the access is being utilized and is truly necessary or if removal can reduce the overall risk exposure. Once these capabilities are achieved, you have established a controlled and repeatable set of processes for providing access reviews and elevated access. Now you must keep your system optimized on an ongoing basis.
The focus of the optimization phase is on continuous compliance monitoring through further cleanup of unused or excessive access. This stage can be accomplished with a solution that offers built-in controls, integrated risk simulations, and role entitlement / engineering management tools. These allow you to focus on continually improving your environment after establishing a documented, repeatable, and automated risk management process. A solution that can provide role mining views and access analytics reporting is ideal here. Additionally, the environment can be further optimized by a solution that provides license cleanup and realignment reviews.
Steps in the Optimize phase
Out-of-the-box compliance controls provide visibility for SOX, HIPAA, GDPR, and other regulatory requirements. Integrated risk simulations allow for review of possible role or user changes and the SoD risk impact of those changes, prior to submitting requests. Additionally, role entitlement / engineering management tools allow for deep-dive analysis to review existing entitlement design and determine if adjustments should be considered based on usage of various user groups. Each of these features supports the ongoing optimization and management of your application environments.
At this point, you’ve addressed existing detected risks – and implemented preventative risk detection, automated access provisioning, certifications, and emergency access requests. So you can now optimize the environment by managing and monitoring environmental controls on an ongoing basis, establishing a complete customer lifecycle end-to-end, and avoiding gaps that may result in audit and compliance concerns.
Once your organization Gets Clean, Stays Clean, and Optimizes, you can govern who gets access and how, secure what access is provided, and maintain complete visibility to access risk and compliance initiatives on an ongoing basis.
Separation of Duties (SoD) ensures that no user should be able to perform unauthorized transactions. Fine-grained SoD and Sensitive Access entitlement rulesets for individual applications – and cross-application checks – ensure that the business has a baseline for its customized risk appetite.
Once a company implements risk rulesets, it requires a baseline of the current risk environment. Executing a detective risk report establishes the current state and drives the future state goals.
Access request workflows ensure that all identity events (joiner, mover, and leaver) get addressed – by requiring proper access approvals and preventative risk analysis checks – before access changes are completed in the system. This cuts down on human error associated with the provisioning and deprovisioning process.
Scheduled access certifications keep the environment clean by ensuring no stale access remains for users as job responsibilities change. Access revalidations should be completed in alignment with audit-approved frequency for each application. A solution that allows you to automate access reviews will reduce errors and save time and effort required to conduct manual access reviews. And by using access certifications on a standardized basis, access is reviewed and reapproved or removed, keeping your access clean – and removing anything that’s stale – on an ongoing basis.
Enforcing a standard of no standing elevated access keeps the environment secure by limiting critical system access and requiring approvals and monitoring for any approved and provisioned temporary emergency access. Because emergency access (often referred to as a firefighter or an elevated access request) must be provided quickly, a solution that enables real-time emergency access and monitors it reduces situations in which the access isn’t rescinded once the emergency is over.
Instituting automated persistent controls monitoring, standardized documentation & training on governance processes, and enforcing ruleset maintenance, ensures that the environment remains low risk. By maintaining a clean user-risk population (no unmitigated risks exist for users), you can meet the end goal of a managed and monitored environment.
As access utilization changes in applications, role entitlements should be updated accordingly. Part of optimizing a system is continually monitoring usage and functionality changes to reduce excess access and meet the least privileged access goals. When a governance process has achieved a “clean” status, security managers can shift their focus and free up time to analyze design patterns and access usage to align entitlements to user needs better.
Ongoing license management reviews support license reclassification as user functionalities change. This reclassification maintains a license structure that reflects the actual business usage and avoids cost overages due to incorrect license assignments.
Reduce segregation of duties (SoD) risks with out-of-the-box risk & security controls
Use Break-the-Glass provisioning capabilities to control temporary access & continually monitor access
Bring critical risks forward for remediation & optimize your security team’s workload
Guard enterprise apps with cloud-architecture in ways that legacy systems can’t
Utilize risk-aware certifications, license management, and alerts on risky requests
Manage multiple applications and give compliance managers the reports they need
Both products provide similar features such as SoD Management at the coarse-grained level, risk-based access requests and workflows, risk-based access certification, identity analytics, and control library. AAG extends those capabilities with fine-grained SoD management across applications, out-of-the-box SoD rulesets, mitigating controls and regulatory compliance controls along with role mining & engineering, privileged access management with log review, and license management to meet the needs of cross-application governance.
It’s an organized approach to ensure your GRC system is operating in the most efficient manner. By assessing and minimizing risks, provisioning access with preventative risk analysis, completing access certifications, and monitoring and managing access requests, companies can ensure they have automated lifecycle management, security to support audit, compliance, and zero trust requirements, along with continuous compliance monitoring. Learn more about the three-step process in our white paper.
Since different applications come from different vendors, each has its own unique security model. With coarse-grained visibility, the GRC solution may be able to see SoD violations at the highest levels of the security models, but in practice, SoD violations typically occur several steps into a business process. Fine-grained visibility allows the GRC solution to follow the business process deeper into the security model to identify potential violations.
With the exponential growth of cybersecurity attacks, regulations are becoming stricter to ensure companies are building more robust security. Many companies are transitioning to new technologies to run their business and need a way to manage identities across all of their applications. The pandemic also added concerns about remote work and its impact on identity security.
To streamline processes, many companies are replacing their manual or legacy GRC solutions to improve the level of automation within their GRC landscape. They want to centralize and automate controls monitoring and management capabilities while simplifying user provisioning and access management. They also need to provide strategic and centralized visibility into potential risk and fraud while facilitating audit planning and performance.
Most companies today operate in an environment where they have multiple ERP applications in addition to line-of-business applications. Single product GRC solutions like SAP and Oracle only manage their applications and don’t have the ability to look across applications for SoD violations that may occur when a business process spans multiple applications.
Rather than having several point products including AAG to govern identity, Saviynt provides an end-to-end cloud-native platform that simplifies identity management. A single vendor relationship and a consistent end-user experience streamline identity management across applications, providing privileged access, onboarding and managing third-party users, and governing the use of data throughout the enterprise.