Access entitlements are permissions granted at various levels within an entity, such as a corporate enterprise or the like, to allow an individual, such as an employee to perform a given type of task. Depending on the entity granting the access entitlements and the individuals to whom the access entitlements are granted, the permissions can be at a highly granular level. For example, a user/employee may have read-only access entitlement to a specific document and/or the user/employee may have read and write access to another specific document.
In addition, access entitlements can be grouped into hierarchies based on groups and assigned to roles. For example, a specific employee role is granted read-only access entitlement to a specific document and/or read and write access entitlement to another document. Members of the specific employee group have the specific employee role and all members of the group may have group-wide access entitlements and/or all employees having the same role may have role-wide access entitlements. The use of such roles makes individual entitlements easier to manage since a large collection of granular entitlements can be associated to a role. Groups are then assigned to the role, and finally employees are given membership to the groups. Simply by adding an employee to a group will grant that employee all of the entitlements necessary to perform the functions of the role.
Some job functions may have many roles that are necessary to perform the duties of the job. Additionally, access to multiple computers, shared folders, network domains, etc. may be necessary. To make the on-boarding of new or transferred employees more manageable, many on-boarding procedures have been automated, such that large number of access entitlements that have been pre-defined by a job function may be granted to the new or transferred employee.
Over time, a given employee can acquire a large number of access entitlements by changing job capacities if the original entitlements granted to the employee are not cancelled, referred to herein as “de-provisioned”. Although de-provisioning entitlements when the access is no longer generally required is an industry best practice, the fact that there is a strong correlation with length of employment and the number of entitlements outstanding indicates that current de-provisioning procedures are highly ineffective.
In large corporations, the ineffectiveness of de-provisioning procedures, are due, at least in part, to the reality that the correlation between job functions, roles to support functions, entitlements to support roles, and the relationships to an employee's current job requirements are typically poorly maintained. This disconnect in the de-provision practices is primarily due to the sheer scale of the number of access entitlement applications, the age of the access entitlement applications, the disparate platforms and the manner in which the platforms maintain entitlements, disconnection between on-boarding and de-provisioning systems, and the velocity of change imposed on all of the factors results in a problem that is very difficult to retroactively resolve.
Access entitlement reviews need to be performed within enterprises on a regular basis to ensure employees have access to what they need to perform their job functions, but no more access than is necessary. Such access reviews serve to reduce the risk of possible inappropriate usage. In certain regulated industries access entitlement reviews, conducted on a regular basis, are not only an industry best practice; such reviews are now required by government policy and regulators, such as Sarbanes-Oxley and the like.
In the past access reviews have been scheduled on a calendar basis. Most best-practice frameworks, such as Control Objectives for Information and related Technologies (COBIT) or the like, recommend that access entitlement reviews be conducted on a regularly scheduled basis, the frequency of which depends on the nature of the entitlements. Entitlements that represent a greater risk, such as those that allow employees to view customer or third party identities, should be reviewed more frequently, while lower risk entitlements, such as those that provide employees access to the corporate network, may be reviewed less frequently. However, calendar or other cyclic regularly scheduled reviews tend to be arbitrary and have no correlation to when risk conditions occur.
Unfortunately, many access entitlements are not classified by risk, and, therefore, conducting such access reviews based on risks becomes problematic. Further, because of the issues discussed previously, it is usually not even possible to conduct access reviews by job title, job functions or roles because the association to these higher level groupings does not exist or no longer exists.
Traditionally, access reviews have resulted in an attempt to review all of the entitlements for all of the employees. In an enterprise scenario, such an exhaustive review puts an impractical amount of work and responsibility on the managers of the employees. In addition, poor effectiveness and efficiency of the access reviews can be attributed to the scale of entitlements granted within an enterprise. Moreover, due to inadequate information describing the entitlements, the managers do not readily understand the nature of the entitlements, or the implications of de-provisioning the entitlements. In this regard, managers all too often continue to provide perfunctory approvals of entitlements rather than take the risk of disabling important functions that may negatively impact their staff.
In addition, access entitlement reviews and, specifically the goal of risk reduction, provide for difficulty in terms of quantitative measurement and demonstration.
Therefore, a need exists to develop systems and method for access entitlement reviews that demonstrate and measure a reduction in risk. In addition, the desired access entitlement review system and methods should reduce the workload of managers or other individuals typically tasked with conducting such reviews. Additionally, the desired systems and methods should increase effectiveness of the reviews as evidenced by the percentage of access reviews completed and improved reduction of risk by higher revocation percentages versus traditional reviews. Moreover, the desired access entitlement review systems and methods should increase efficiency by reviewing only those entitlements that represent the most risk.