Identity and Access Governance
Identity and access governance refers to a set of business processes whose cumulative effect is to ensure that identities and security entitlements are managed effectively and securely. In other words:
- Only users who legitimately require access, based on business context, are assigned active identities.
- Once access is no longer required, identities are deactivated in a reliable, complete and prompt fashion.
- In between the above two points in time (onboarding and deactivation), only business-appropriate security entitlements are granted.
- There is evidence (audit logs) of the above process being executed as described.
Processes which may contribute to the above identity and access governance goals include:
- Role-based access control (RBAC) -- so that users are assigned exactly the security entitlements appropriate to their job function.
- Access certification -- to periodically or in response to business events review and correct the security entitlements assigned to users.
- Segregation of duties policy enforcement -- to prevent users from acquiring "toxic" combinations of security entitlements.
- Automated access deactivation -- to ensure that no-longer-needed identities are deactivated promptly and reliably.
- An authorization workflow -- to ensure that changes to identities and entitlements are reliably approved by appropriate business stake-holders before being committed.
- Privileged access management -- to lock down access to accounts with elevated security rights.