The Complex Process of Keeping Access Governance Software Simple

The Complex Process of Keeping Access Governance Software Simple

Access governance security and compliance.

With the rapid growth of the access governance software market, you would think that access certification issues would be a thing of the past. Unfortunately, most solutions are missing the boat because they are either cumbersome to use or they are niche solutions that do not integrate with target systems or a core identity and access management solution. Software is definitely needed to assist with access verifications because trying to run an access audit manually is nearly impossible. However, choosing a solution with rarely used, complex features and minimal integration capabilities can prevent you from actually enabling the business change required to establish a continuous improvement access certification program.

Managing an access verification process without the appropriate tools can be a nightmare. From my past personal experience, the manual process usually consisted of the following complex steps and lots of spreadsheets:

  • Extracting data from your target systems
  • Trying to determine the appropriate owners/approvers for each entitlement or system
  • Communicating the process to approvers with a rash of emails
  • Enforcing the completion of the audit via email and phone
  • Reviewing the results
  • Submitting the access differences to a security team to process
  • Then, start over because all of the above took so long!

Simplicity, automation and integration capabilities are the critical features you should focus on when choosing an access governance software solution. Ideally, integration needs to exist between both the target systems being audited and the core identity and access management solution. Otherwise, you will find the access governance software simply gets you to an end-report faster without actually automating the revocation of access. Revoking inappropriate access is the primary reason for performing access certifications, so any solution that just provides a report or has limited identity management core features should be ignored.

Over the past couple years, most organizations investigating identity and access management initiatives are baking access governance into their overall IAM solution requirements. This is fantastic, because an IAM solution should address all identity needs rather than just be strong in certain areas. In fact, a holistic identity and access management solution with standard features is much more effective than trying to marry multiple products that might have a few extra features in their niche areas. What good is it to sail through an access certification if significant work must then be applied to actually correct the inappropriate access once it is complete?

The ideal access governance software should incorporate integration at both the beginning of the audit as well as at the tail end when access revocations must occur. Don’t underestimate the value of either of these integration points. On the front-end, system and entitlement ownership as well as current entitlement data should be derived from the core identity and access management solution and leveraged throughout the audit. This dramatically reduces audit ramp-up time and allows the access governance solution to have direct access to approver information for sending emails and enforcing workflow. At the tail-end, the access verification system should allow for immediate revocation directly to the target system through the core IAM solution. This ensures a single point of reference for auditors since all access requests will flow through the primary user provisioning system.

A major area of importance that is overlooked in any access government solution is the graphical user interface and intuitive nature of the product itself. Think about it, if a solution is difficult to use, it will promote the act of “rubberstamping” access certifications. If the software is intuitive with a familiar interface that provides all the required information in a single view, approvers will be empowered to make the right choice thus improving security‐‐the key goal of access certifications. Ultimately, only the look-and-feel of an access governance solution can truly change behavior and promote continuous improvement in this space.

Another important capability is to be able to create granular audit campaigns that focus on either the access entitlements being audited, the users who should be audited or a combination of both. By allowing for granular audit campaigns, the access certification process is more manageable and can promote successful audits with reasonable project timelines.

As stated above, simplicity, automation and integration are all key components of an access government software solution. Focusing on core identity and access management capabilities with core access governance capabilities integrated into the suite provides a much better solution than trying to find the perfect access governance solution with minimal identity and access management features. The goal should be to effectively run access verifications quickly with minimal IT involvement. If this occurs successfully, your IT security will improve leaps and bounds above trying to implement a complex access governance solution that does not integrate with your target systems.

Follow Ryan Ward, Avatier Chief Innovation Officer and Chief Information Security Officer, on Twitter at

With Compliance Auditor, identity and access governance audits are simple to conduct and make part of your continuous improvement operations. Watch the Avatier Compliance Auditor Production Introduction to learn more.

BP_access-governanceGet Your Free Top 10 Access Governance Best Practices Workbook

Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).