Sunday, January 22

Access Governance Continuum

I've been pretty focused recently on Access Governance and specifically how large organizations can get their arms around the problem of access as it relates to unstructured data (mostly file systems and SharePoint). Most of the people I speak to who have responsibility for answering the related tough questions are simply overwhelmed by the sheer size and complexity of the challenge.

It led me to consider that there are a different set of tasks I'd recommend to those people than I might to someone who has a somewhat more mature access governance program. So, I started documenting an Access Governance Continuum; a maturity model of sorts that discusses how to tell where you stand and what the ideal next steps might be. A whitepaper is in the works, but essentially it looks something like this:

Confused > Planning > Cleaning > Maintaining

To illustrate a few examples:

In the Confused stage, you might want to run scans to identify open file shares. In the Planning stage, you'd be identifying data owners / custodians for those shares. In the Cleaning phase, you'd be working to clean up trouble spots and diving deeper based on what you've found. And in the Maintenance stage, you'd be automating some of the cleanup based on business rules.

This is all based on real-world projects, what has worked for the world's largest organizations, and how that knowledge translates to a mid-market need for pragmatic solutions.

...more to come.


Richard Blackham said...

I think you have hit the nail on the head Matt, and your timing is perfect in producing a companion document to the recently published Gartner MQ.
We have done some analysis of the 'continuum' too and come up with a methodology for addressing the Access Governance (AG) challenge. We settled on ' Capture - Clean - Confirm'.
For our company this presents a similar stance to what you seem to be saying, that without data a customer cannot clean and control his/her directories and therefore may be insecure. We focus, for the moment at least, on providing Reports generated by Forefront Identity Manager, allowing customers to visualize the extent of the problem, clean up the directories by assigning managers to users and owners to groups (as well as removing orphaned accounts), and then have those managers and group owners attest to the security of their business.
Access Governance is certainly gaining traction this year with IBM and Quest entering the fray in the past few weeks. I will be interested to read your white paper when it's finished. There is no doubt that AG is a rising star and could supplant the traditional identity management project as a more affordable first step to getting the 'house in order'.

Matt Flynn said...

Thanks Richard. I appreciate the feedback. One thing I struggle with is that the stages I presented essentially describe the current state. Then, there are sets of tasks associated with each stage which seem to align with your methodology: Discovery, Analysis, Remediation, and Automation. Sounds like there may be ways we can team up at some point. ;)

Richard Blackham said...

Agreed. What we are embarking on here is identifying the point at which IAM and IAG depart from one another. These are two distinct themes in my mind and define how the methodologies should/could be executed relative to your 'continuum'. All those tasks you mention are valid but represent differing views on what to do with that data. For example, if remediation is important then the tool becomes a management interface and is no longer an audit tool. This stretches the concept of 'governance' in my view but many believe this is an essential component. I had a very public debate on LinkedIn with Idan Shoham on exactly this topic.
The methodology, again in my view, should be able to capture data, provide some analytics capability in an automated way, and present that for accountability...over time!
'Over time' is the critical element because historical data is fundamental for audit trails. Spreadsheets prepared the night before just don't stand scrutiny so selecting, filtering and maintaining the data that is required for historical reporting is very important.
Collaboration would be good -_-