GRC: The Elephant in the Dark

There’s an old story about a group of people finding themselves in a dark room with an elephant and trying to describe this strange creature that they can’t see, but only reach out and touch. A man near the animal’s leg thinks an elephant is something like a pillar; a woman by the tail perceives it as quite something else; and the others, too, define the nature of the elephant differently, depending on what part of it is nearest to them.

The point of the story? That you have to take all the parts into consideration in order to perceive the whole. And when it comes to governance, risk, and compliance (GRC), that lesson seems to apply. Like the elephant in the dark room, no one seems to know quite what to call it: GRC, or GRC Management (GRCM), or Enterprise GRC (as distinct from IT GRC, according to Forrester) – not to mention GAC, Gartner’s acronym from governance, audit, and compliance.

The elephant story reminds us that the key to understanding and addressing GRC is taking it one part at a time. Given the many views of GRC, and the different components associated with it – from the IT infrastructure that supports it, to the controls and other applications that make up that infrastructure – it can be a challenge to know where to begin. But you’ve got to start somewhere.

One way to begin to move forward productively with GRC is to focus on one area of the core technology platform for it – something that will be easy to implement and can be rolled out quickly and cost-effectively. An example of this would be applications associated with instituting access, security, and other controls to support business policies in these areas. Because access and security are inextricably linked with identity, controls that can be automated through identity management are an obvious place to start.

A Place to Start: Instituting Identity-Based Controls
The following are specific examples of identity-related access and security controls that can be instituted as part of an IT framework for GRC, whether across the enterprise or for a particular business area within the organization.

1. Authentication
It may sound obvious, but making sure that the people requesting access to enterprise resources are who they say they are, and have permission to view or use what they are asking to view or use, is fundamental to the ability to reduce risk and improve compliance in the enterprise. This requires access controls with a strong authentication component.

Identity-based access-control technology that includes a wide range of authentication capabilities can be implemented to provide the appropriate levels of authentication to support enterprise policy. At the minimum, an identity-based solution should include strong password management capabilities that will support enterprise policy in areas such as how often passwords are required to be changed. Ideally, the solution will also include enterprise single sign-on (ESSO) capabilities that enforce password policy while at the same time improving the user experience by not requiring different passwords for different enterprise resources. Solutions that also allow for stronger controls such as multi-factor authentication will strengthen the security of password-based access at the initial network login level.

2. Segregation of Duties Enforcement
Segregation of duties (SOD) enforcement is critical to ensuring that no one within the enterprise can intentionally or inadvertently create a breach of security policy as a result of the roles they occupy and duties they are assigned to perform. A classic example is ensuring that someone who is charged with issuing purchase orders isn’t also allowed to approve them. SOD enforcement directly impacts an organization’s ability to comply with explicit requirements of the Sarbanes-Oxley Act and other regulations aimed at ensuring the integrity of enterprise financial operations.

Enforcing segregation of duties policy in the GRC control environment requires identity provisioning and auditing capabilities that are fine-grained enough to identify imminent violations when users are provisioned (especially after job changes that may affect their duties), automatically prevent these violations from occurring, and then report to management on such incidents. Identity management technology that combines provisioning and auditing in one product or solution can neatly address detection, prevention, and reporting in this way.

Ideally, the identity management solution should include the functionality to automatically maintain an ongoing record of activities with the potential to impact SOD, such as job changes and password resets. The solution should also record and notify management of all attempts – but successful and unsuccessful – to access confidential, restricted, or other sensitive enterprise resources.

3. Role-Based Access Control
Enterprise rules and policies that dictate who has access to what resources in the enterprise can be applied based on the roles that users occupy rather than on their individual access privileges. Access control capabilities that are based on users’ roles in this way simplify administration by making it possible to apply policy against the roles to which users belong, instead of against every individual user account.

As in the preceding general SOD-enforcement scenario, an identity-driven solution may be ideal. The key is to find a product with the functionality not just to identify conflicting access privileges but also to automatically prevent users from being granted conflicting rights when a conflict is identified. In the interest of further simplifying administration, identity management solutions that allow role-based access control should offer combined capabilities to manage roles, grant access, and report comprehensively on access – from who has access to what, to who accessed what, to who authorized access – all through the ongoing and continuous process of auditing and certifying access privileges and activities.

Roles can also be used to automate access certification controls, which greatly simplifies the access certification process for managers. When based on role management, the tasks of auditing and certifying access to resources allow the enterprise to establish a practical framework for interjecting tight controls. These controls enable management to efficiently secure the enterprise and achieve virtually any goal for complying with internal security policy or external regulatory requirements. In the process, role-based access auditing and certification greatly reduce the operational inefficiencies associated with managing user access in an ad hoc manner.

Using roles as the basis for establishing and managing access changes against an auditing baseline creates a foundation for an enterprise control structure that will satisfy audit objectives. This is because role-based processes simplify the attestation of user access; enable the definition and certification of policies, controls, and users roles; and automate policy enforcement and exception management to address segregation of duties and other conditions across a multitude of enterprise systems and applications.

Finally, the entire process of defining roles facilitates a closer alignment between IT activities and business goals, by making it possible for identity to be not just as a means to an IT end, but also a means to achieve business goals. Roles allow enterprise to map IT controls to business goals by defining identity in a way that is meaningful to management and by placing business goals in an identity context that makes sense to IT. Roles provide the context that management and IT need in order to define the parameters of her access based on her job function within the business and then to place the appropriate IT controls around that access.

4. Audit and Compliance Automation
The important of automation to implementing controls for GRC initiatives cannot be overstressed. Implementing automation for audit and compliance positively impacts GRC by making it easy and cost-effective to enforce access policies, monitor access, and conduct ongoing audit and compliance reporting.

The processes and procedures that are associated with auditing and compliance of the access control environment simply cannot be sustained manually. They are too labor-intensive, costly, and time-consuming, not to mention subject to human error. For example, without automation, it can take weeks at the end of a quarter to detect access violations and remedy them manually – and even then, there’s no assurance that every violation will be caught and properly addressed. By contrast, an identity-driven, automated solution can instantly and accurately detect, for example, whether a user who has changed roles in the organization has inappropriately retained access privileges to resources associated with his or her previous role.

Ideally, an identity-based solution for automating audit and compliance processes should bring together diverse capabilities to automate multiple related processes. A combination of automated capabilities for provisioning, access management, and reporting is essential to delivering audit and compliance support that is not only sustainable but also comprehensive.

An identity-based solution should also provide directory capabilities for consolidating identity and access information from throughout the enterprise. A directory is a critical component for addressing application security and cost efficiencies associated with an enterprise-wide identity management strategy. It provides the first line of authentication services to applications and offers strong security mechanisms such as encryption of the data that is stored in the directory, along with the ability to restrict access through an embedded firewall function. With directory capabilities in place, all transactions can be automatically logged and encrypted to provide a complete, tamper-proof forensics trail for the audit team to review as needed.

Criteria for Selecting the Right Solution
As discussed above, automation is at the top of the list for any organization that is considering using an identity-driven approach to the controls environment in the IT infrastructure for GRC.

Beyond automation, having an identity-based solution for controls that provides the flexibility to bring together multiple processes – identity provisioning, identity auditing, role management – is also important. Provisioning products automate the process of fulfilling access requests; identity auditing products automate the process of detecting, remediating, and reporting on risks associated with access. Solutions that bring together both identity provisioning and auditing in one streamlined product are useful for meeting these needs while streamlining administrative requirements. Role management capabilities are useful for any enterprise with a diverse and large base of users, because they can speed the process of managing their access to resources.

Finally, any identity-based solution for building a controls environment for GRC must have a strong reporting component. The solution should report on who has access to what (by both user and information owner); who actually accessed what, including applications, operating systems, and other resources (especially resources associated with confidential or other sensitive information); and who approved or authorized the access. Additionally, reporting capabilities should include a centralized log of all access activities from all resources, to speedily and accurately provide all the information needed for an audit.

In Summary
The recent emergence of GRC as a priority concern for today’s enterprise exemplifies very well the lesson of the elephant in the dark: that you can’t perceive the whole of something without an awareness of all of its parts. But getting a handle on every aspect of GRC at one time can present a formidable – if not impossible – challenge.

A better approach than trying to do everything at once is to start by zooming in on the big picture of GRC to focus on one specific aspect of it that’s easy to plan for and implement. For example, go from GRC in general to the IT infrastructure controls that support it, and from there to controls that can specifically be implemented through identity management solutions – solutions that may even already be in place to at least some extent. From there, move on to another part that’s relatively easy to undertake. Next thing you know, you’ll have an entire elephant.