Identifying stakeholders in access governance
In our view, information security is managing who can have access to what. IAM, Identity and Access Management, is often seen as the single profession to manage the who, what and why.
Well, in our opinion it is not. Managing identities and managing access cover lots of ground in different domains. Identity management is all about automating joiner, mover and leaver processes in an identity lifecycle. It is about workforce management, customers and consumers, things, every single object or service that may need to get access to whatever needs to be secured.
Access management is different. Access management is all about handing out the keys to the castle. But who is allowed to hand out the keys, and to what part of the castle? And why would anyone hand out the keys?
The Why part in essence is overlooked. Managing identities by implementing an Identity Governance and Administration solution can help manage the Who. And such a solution can also manage authorizations in roles, taking care of the What.
By Why does someone get a role or an authorization. “Why does a role contain an authorization”, is a question that cannot easily be answered, leave alone that there is a person who can answer the question. This is the access governance issue that needs to be managed.
In our whitepaper Identifying the Stakeholders in Access Governance we do not present the answers to the questions, but we present a method to identify the persons who should be held accountable for answering the questions.
Enjoy the read and if you like to comment, feel free to do so!