IT Security and Infrastructure teams deploy sophisticated IAM systems like SailPoint and invest in aging homegrown solutions to confirm identity. Despite these investments, IT managers continue to struggle to get their end-users to engage with these systems and complete the necessary surveys.
The irony lies in the fact that upper management knows people can’t or won’t make decisions about who should have access to the systems. It is entirely up to the lines of business to make these calls. Yet, no matter how logical the explanation is, the business always pushes back. Why is that?
There are many great solutions in the IAM ecosystem designed to handle the workflows IT organizations require for certifying access, including scheduled entitlement reviews and on-the-fly account recertifications. These solutions come with all the features an administrator could need—pretty email templates, escalation processes, automated provisioning, and role concepts, to name a few.
However, despite all this functionality, there is one major problem these IAM systems can’t overcome: Bad Data In = Bad Data Out. An application is only as good as the data it receives.
These applications work as designed when supplied with clean, pristine, and refreshed raw data. But ingesting quality data is a significant challenge for any complex system and those who manage them. Unfortunately, data quality is mostly out of their control.
Most IAM tools pull user data from Active Directory, which may be managed by another group. Permissions, ownership, and data structure are complicated, come from many disparate sources, and aren’t provided in a pre-configured package that is easily uploaded and displayed to business users.
The Reality
To be effective, there needs to be a solution wedged between the source systems and the desired end-state IAM workflows.
SPHEREboard collects data from the source systems first; this is what we call our IAM Views solution.
There are Three Ways of Retrieving the Data:
- Directly from the Source System: For example, if you want group drives included in your entitlement reviews, we will use our NetApp connector to grab entitlements and any other relevant metadata.
- Using an Existing Solution: For example, if you want local admin accounts included in your access certification processes, use our Tanium connector that’s already collecting that data.
- Uploading the Files: For example, if you want your SOX apps reviewed quarterly, use our File Listener and File Ingestor to configure it to wait for your apps to drop files to a certain location (we set that up too!) and upload them into the system.
Getting the data from the sources is just the start, as referential and contextual data are extremely important to any recertification or entitlement project. IAM workflows always require accurate ownership. The owners are the business people who will have to certify access. The reality is most companies have incomplete ownership catalogs and, very often, conflicting information.
Where We Provide Value
We perform common-sense checks first. Is the listed owner still at the company? Additionally, when an owner cannot be found, we leverage a host of proprietary methodologies and algorithms behind the scenes to fill in the gaps automatically.
Finally, data needs to be normalized, and the presentation layer must be addressed. For example, if you want group drives certified by the data owner, including every folder and file in the review is impractical. It’s too much data to consume rationally.
Instead, we devised the concept of Collections. Our approach groups folders based on usage, naming standards, permissions, etc. This helps quantify the number of people who need to be contacted to validate ownership effectively. We identify just the folder paths that are meaningful to the data owners and provide metrics on the entire data set. Equally important, the same normalization must occur for any other asset in the environment. This step should not be underestimated.
Packaging the Data
The final product from us is our IAM views. All the information and analysis SPHEREboard conducts with entitlements, ownership, and any additional data is placed into pre-defined tables that the IAM workflow system consumes.
These tables are regularly refreshed, ensuring data quality is up-to-date. Now, business users see entitlement data that makes sense and can provide relevant feedback to the business as intended.
Contact us for more information about how we can help you with your entitlement reviews
