Post on 20-Jun-2015
Omnitech s.r.l. • Via Fiume Giallo, 3 - 00144 Roma • Via dei Bossi, 7 - 20121 MilanoTel.: +39 06 6782586 • Fax.: +39 06 99331512 • www.omnitechweb.it
L’Eccellenza nei servizi e nelle soluzioni IT integrate.
Access Governance
Maurizio Milazzo
Governance
• Original term coming from anglo-saxsonstudies of politic sciences
• Refer to a complex system and to therelationships flexibility between systemsubjects
• Term adopted by economists talking about economic structure complex government (Corporate Governance)
….Governance
• From a Model based on Hierarchical Controlsto Interrelation Forms that are the System(R. Mayntz 1999, sociologist)
• Procedure or tool set used forpolicy processing and developmentwith more openness betweendecisional processes, involvingstakeholders via better informationsharing and via inclusion of them inthe listen phase.
Access Governance
• Procedure or tool set used to provide theUsers correct Access Management to theright Company Software Applications, takingcare about Corporate Policies, Complianceand Digital Identity Management, based onRoles Lifcycle Management.
Access Governance
• It Is a non technological approach addressinga Scenario of Processes, People, Complianceand Rules, Data and Systems, Access Rightsand Personal Information Management,oriented to reduce costs coming frominappropriate accesses, violations and rightsnonaligned to the Company needs.
Access Governance
• Top Down Iterative Approach
• Assessment
• Auditing
• Segregation of Duties
• Roles Lifecycle Management
• Starting point for a I&AM Project
• Not depending from I&AM
Resource Needs
• Competences
• Methodology Guide Lines
• Tools
• Auditing Abilities
• Sponsorship
Gartner Newsroom• Gartner Says Most Organizations Approach IAM in the
Wrong Way (Egham, UK, February 16, 2011)
• “Between half and two-thirds of organizations attempting to establish a truly-effective IAM program
approach it in the wrong way,” said Earl Perkins, research vice president at Gartner. ”IAM process
requirements should always precede organization and technology decisions. But currently, most IAM
planning is done around clusters of technologies, rather than by addressing specific IT or business
processes.”
• “The „build‟ experience of IAM projects has traditionally not been a good one,” said Mr. Perkins. “While
some experiences have improved and technologies are evolving, major efforts to formally build an IAM
system for an organization overlook a key lesson — planning for IAM often starts from the wrong
direction with the wrong people, or at least not everyone who should be involved.”
• … “IAM should not be planned with operations in mind; rather, it should be based on the foundations of
the organization relative to policies, processes and people,” said Mr. Perkins. “Products are actually a
relatively small focus of the decision process in an IAM program.”
• …By linking operational IAM process to the policy model of the organization, this part of IAM governance
can be established as a life cycle, rather than as an ad hoc set of activities applied in a reactionary way
to access and identity problems. IAM as a process can be effective in converging business and
enterprise processes with IT processes and accelerating IAM program maturity for the long term.
• I&AM have to result by an Access Governance Model
Access Governance: Why
• Clarify who Access which Resource and Why,considering Company Needs in terms ofCompliance, Processes and People
• Reducing Economic Losses
• Avoiding unpredictable Expences
• Mitigating Risks
• Avoiding friction with Clients
• Avoiding Company Reputation damage
Cost Control
Source: Novell
Cost Avoiding
Source: Novell
Risks Avoiding
• Systems and Data inappropriate Access
• Outdated Access Rights or Extended Rights
• “Orphans” Management
• Data Entry Errors Cut
• Violations
Access Lifecycle Management
Source: Novell
Critical Success Factors
Sponsorship
• Authority and Leadership
Target shared with Management
Policies Compliance Control
• Change Management
Prevention
• An healthy Professional Life Style
What can happen if you do not do it
Clients and PartnersReliability
Appreciation and ReputationMoney
What can happen if you do it
Cost Control Paper, People & Communication
Reputation Customer
Loyalty Market Share
Risk Avoidance Unwanted Media
Attention Regulatory Audit
Finding
Journal
Added Value Delighted
Customers Market
Differentiation
Cost Avoidance Penalty Fees Redundant
Processing Reduced
Development
Access Governance Benefits
• Awareness
• Consistent Accesses
• Strategic Model as Reference point
• Information Leakage Prevention
Conclusions
• The Inferior Doctor treats actual sickness
• The Mediocre Doctor attend to impedingsickness
• The Superior Doctor prevents sickness (Old
Chinese Proverb)
Access Governance
First Step to the Global Access Assurance
Maurizio Milazzo