Case Study #3Technology & Product Review for Identity Governance & Administration
In the constantly changing and growing modern business environment, thanks to online accessibility, just about all of a business’s information can accessed. Additionally, businesses face an ever challenging landscape and tighter regulatory controls in order to protect their brands and meet the demands of the marketplace. Today’s businesses must operate with sophisticated, secure, and scalable means to assign, monitor, and control access to company resources. One of the major issues businesses must deal with is the safeguarding of that information. Harmful external influences such as hackers and malware are an expected threat. However the bigger and potentially more damaging threat comes from within the businesses. Those internal threats often go undetected due to the level of trust placed in those individuals. To aid in the prevention of this activity Identity Management controls need to be instituted. Within Identity Management exists a sub-category known as Identity Governance and Administration (IGA). Gartner defines IGA as “The security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IGA addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise” (Perkins, 2013). Today’s IT solutions increasingly leverage multiple platforms for mission-critical applications (Edwards 2016). In recent years, the requirements placed on IGA tools have grown exponentially. These days it is important that a company’s IGA solution does not hinder it, but rather grows with it, seamlessly supporting its success. IGA should also be thought of as an important business enabler, as it provides firms with agility in terms of both the application of controls and the ongoing monitoring of compliance (“The Case for Identity Governance and Administration” 2014).
Review of Features, Capabilities, and Deficiencies
When looking for the best possible IGA solution to recommend for this business to aid in mitigating insider threats by means of Identity Management controls, EMC (RSA Aveksa) appears to be the optimal solution. RSA Aveksa is the EMC Corporation’s security division. EMC (RSA Aveksa) is listed as a Leader in Gartner’s latest Magic Quadrant. The assessment by Gartner focused specifically on two core components which helped to set itself apart fromindustry competition. Those components were Access Request Management (ARM) and Access Fulfilment Express (AFX). The ARMaffords organizations, through a single interface, the ability to control user requests and approvals throughout theircomplete enterprise. When organizations utilize this feature they have the ability to prioritize access requests, escalate those requests if necessary, and validate the required access all in the same workflow while providing a way to track and report all of this if needed. The ARM data sheet points out that the application “enables both managers and end users to easily request new access or make changes to existing access, while ensuring compliance with all business policies and regulatory controls” (“Access Request Manger,” n.d.). The second core component to RSA Aveksa’s solution is AFX. This feature gives the organization a way to integrate business logic, policy, and processes into a tightly controlled and audited single platform for organizational decision makers to take advantage of. AFX, provides multiple tools which are fusedin order to allow complete governance over all aspect of user access without causing confusion or overlapping functions. The Business Role Manager allows for role discovery and Data Access Governance. The tool implements controlled access to data resources, and the Access Request and Change Manager, which are used to combine access requests with policy controls to ensure that access requests are logical and necessary. (“RSA Access Fulfillment,” n.d.). Among the primary benefits of RSA Aveksa is its capability to scale the access management needs of an organization. The architecture was designed with simplicity in mind while giving the users an easy integration ability when combined with established Identity Management products. From what research I have conducted the majority of the deficiencies associated with RSA Aveksa are limited and are in the promotion of the products as well as marketing.
The proposed RSA Aveksa suite would also fulfill the cybersecurity objectives of this organization. The product takes advantage of governance controls which would greatly assist in reducing the risk of the user gaining unnecessary access to information. It delivers increasing resistance to unauthorized access and disclosure by “enabling the organization to review and validate user access, ensuring it’s appropriate based on policies, business roles, and job functions. It empowers managers to determine whether a user should maintain access or have it revoked” (“RSA via Lifecycle,” n.d.). The built-in Access Certification measures included with the suite grants the organization an ability to modify access controls based upon aspects such as user accounts, groups, roles, and entitlements immediately. All functions of this product are auditable, which is aninvaluable factor in the mitigation and remediation of threats and performing of forensics. The workflows are easy to use and extremely intuitive as they are displayed in a GUI and able to be deployed and repeatedenterprise wide. There is additionally the ability for workflows to be segmented and customized in order to conform to the rigorous controls thatpermit unique access governance.
Summary and Conclusions
The RSA Aveksa suite rates incredibly high when it is assessed against the Five Pillars of Information Security. EMC has created a shift in the Identity Governance and Administration business world by managing to simplify Identify and Privilege Management through combining several strong applications into a singular product. Mia Johanson is a trusted security consultant for Identacor. She provided an assessment which laid out why identity management is such a valuable thing. She stated that governance was “how to control user access without snooping into individual privacy, and how to restrict uniform access throughout the organization” (Johanson, 2015). That statement exemplifies just how much RSA Aveksa has been able to accomplish by building their user governance platform. The tools are non-intrusive to users while performing all of the necessary functionality needed to help ensure the safeguarding of valuable informationand granting access only to those individuals that require such privileges.
Access Request Manager. (n.d.). Retrieved July 15, 2016, from http://www.emc.com/collateral/data-sheet/h12509-ds-access-request-manager.pdf
Edwards, J. (2016). What’s Changed: Gartner’s 2016 Magic Quadrant for Identity Governance and Administration (IGA). Retrieved July 14, 2016, from http://solutionsreview.com/identity-management/gartner-2016-magic-quadrant-iga/
Johanson, M. (2015, March 26). In The Wake of Security Nightmare. Retrieved July 15, 2016, from https://identacor.com/why-identity-management
Perkins, E. (2013, December 30). Magic Quadrant for Identity Governance and Administration. Retrieved July 15, 2016, from http://innetworktech.com/wp-content/uploads/2014/01/Magic-Quadrant-for-Identity-Governance-and-Administration.pdf
RSA Access Fulfillment Express. (n.d.). Retrieved July 15, 2016, from http://italy.emc.com/collateral/data-sheet/h12510-ds-rsa-access-fulfillment-express.pdf
RSA Via Lifecycle and Governance Access Governance for Today’s Enterprise. (n.d.). Retrieved July 15, 2016, from http://www.emc.com/security/rsa-via-lifecycle-governance.htm
The Case for Identity Governance and Administration. (2014). Retrieved July 14, 2016, from https://www.pwc.com/us/en/oracle-implementation/assets/iag-buyers-guide.pdf