It is astounding how many companies fail to exploit the governance capabilities of their IAM infrastructure and don’t provide the basic governance tools that their manager’s need to do their jobs. It is few the number of managers that get a regular report on the access permissions that their staff enjoy. It is therefore impossible to hold them accountable for inappropriate system access by their subordinates.
Governance is a crucial part of your authentication and access control services. You should not deploy these services without adequate governance offerings. Basic governance should include attestation reports to managers showing the access permissions of their staff. It is not possible to hold managers accountable for access violations if they are not provided with the appropriate tools. If managers are not held accountable for such violations – then who?
Ideally governance should be policy based. A central policy administration unit should implement access controls established on a cross-company basis. Policies should be entered into the system via an intuitive GUI and should be applied to the complete web-services environment. This should include establishing policy for separation-of-duties and monitoring for events such as out-of-hours access to company documentation.
A business intelligence component should also be included in the access control environment. Logins by time-of-day, failed logins and any alarm of a persistent nature should be sent to the Executive Dashboard.