05 May Dormant Access Lifecycle Management
Dormant access is a user access (account/entitlement assignment) that has not been used recently for certain period of time. Time period after which an access is termed as “dormant” may be different for different application/entitlement.
Organizations, typically, attempt to govern dormant access by conducting access certifications without any context. Process becomes expensive and less effective – rubber stamping, limited context for decision making, time consuming etc. This is also one of the common audit finding.
For business, it seems to be a simple problem: why can’t an automation detect, remediate or at minimum provide some context around access usage during certification!!
There is a need to extract, collect and apply identity governance processes on time-of-use of an account and/or entitlement assignment. For technology team, integration is the challenge, especially when there is no standard way to collect “time of use” data from the application.
Extraction and Collection: In most of the cases, extraction of time-of-use is application specific, information may be extracted from one of the following components:
- Application’s Resource Manager (Policy Enforcement Point PEP): component that intercepts user’s access and enforces application security policy by inquiring authorization Server/component.
- Authorization Server: Provides authorization decision based on the application’s access control model and policies.
- Application’s transaction audit data: Component that audits action (business function) performed by user on an application resource, audit transaction can be mapped to an entitlement assignment.
- Application Logs
Applying Dormant Access Policy
Confluxsys Identity Analytics solution integrates with SIM to collect time-of-use data, provides a framework to apply organization’s dormant access policy for applications onboarded into Identity Governance platform.
With no additional development, Identity Management Administrator can configure policy on existing or newly on-boarded application in Identity Governance Platform. Policy can be configured per application or for applications matching certain criteria.
Solution supports various actions based on dormancy rules defined in policy like:
- Initiate “self certification” for beneficiary to justify the continuity of dormant access.
- Automated revocation or disable the account
Having the right process and infrastructure to manage dormant access lifecycle will reduce Identity Governance operational costs and improve the security posture of the Organization. Organization may implement it in a phased manner prioritized by application’s risk level with different level of integration: account and/or entitlement assignment.