Why Best Professional Practices in Access Services Certification Organizations Need Improved Financial and Resource Management Compliments of Published by M A G A Z I N E
2 Best Practices in Access Certification Forward-thinking companies use automated access certification solutions to streamline processes, speed provisioning and ensure data safety Managing user access to information resources is the lifeblood of IT security. Nothing is more basic to securing a network, system, application or database than provid ing the right access to those with a legitimate business need. Employees should have every resource necessary to efficiently fulfill their responsibilities, and nothing more. But knowing and delivering exactly the right set of entitlements for every individual has always been difficult, and in today s complex and continuously evolving environments it is quickly becoming impossible at least with manual tools and processes. This White Paper asserts that organizations need to bridge the gap between IT and business to automate access certification processes, eliminate role-related bottlenecks and create a closed-loop access governance framework that delivers business value far beyond compliance. A Combined Approach The most appealing solution is a combination of abstraction and automation, using defined roles to standardize the resource requirements of typical job functions and the individuals who perform them. Next, a combination of events, rules and policy-based workflows can be used to automate provisioning, validation and compliance processes. Defining Roles & Access While IT managers are better equipped to program systems to allow access to appropriate employees, business unit managers are ultimately the most qualified to determine which employees should have access to each system based on their role in the organization. Both IT and business managers must collaborate on the language that will be used to describe roles and requirements. What s more, both groups must use an automated approach for access review and certification in order to speed processes and in turn save money. Security research firm Echelon One reports that manually certifying access rights imposes a 30-40 hour average annual workload on each reviewing manager and application owner. Even more time is required in heavily regulated industries. A slow certification process also poses significant operational risks. A rogue employee who has even temporary access to sensitive information can wreak havoc. One high-profile example is the trader at French bank Société Générale SA who cost the institution $7.2
3 billion when he made prohibited transactions using inappropriate system rights. But even innocent, inadvertent errors by users with inappropriate access can be extremely costly. Automating Provisioning, Validation & Compliance Processes Once roles and access rights have been defined and automated, companies must then manage the constantly changing number of internal policies and external regulatory mandates that affect user access. With many of today s enterprises managing tens of thousands of IT systems users and thousands of resources, their access certification solution must include: For the business side of the organization: Role lifecycle management, including role definition and access allocation, change management and continuous risk management Access certification and compliance, including automated access discovery, review and certification; compliance analysis; exception response; and remediation For IT access management operations: Automated role-based provisioning and access management Real-time security monitoring, access remediation and reporting Where such solutions are deployed, the benefits will inevitably include stronger security, more reliable risk management, vastly improved administrative efficiency, increased operating agility and lower overall costs. The Solution Novell s Access Governance Suite delivers these benefits. The tightly integrated solutions set streamlines and automates access certification, role lifecycle management and risk management. The Novell Compliance Certification Manager automates entitlement monitoring, reporting, certification and remediation. It starts with a comprehensive discovery and collection of identity and authorization information from systems and applications throughout the enterprise. The Novell Roles Lifecycle Manager provides a holistic approach to defining, creating and managing roles throughout the organization, addressing the distinct requirements of business users, IT security and compliance teams. Building on data from the Compliance Certification Manager, this solution offers sophisticated role modeling driven by detailed metrics that helps business managers evaluate established roles, define new ones, and accurately allocate necessary entitlements.
4 Conclusion These applications, along with the core components of Novell Compliance Management Platform, lets organizations of any size mitigate access-related business risks, reduce costs and complexity, relieve management workloads and ensure sustainable compliance.
5 About Novell Novell, Inc. (Nasdaq: NOVL) delivers the best engineered, most interoperable Linux platform and a portfolio of integrated IT management software that helps customers around the world reduce cost, complexity and risk. With our infrastructure software and ecosystem of partnerships, Novell harmoniously integrates mixed IT environments, allowing people and technology to work as one. For more information, visit www.novell.com.