Compliant Risk Management is crucial for organizations to provide Compliant access, ensuring alignment with business policies and risk mitigation. Compliant access involves incorporating risk policies to evaluate if a certain level of access would lead to unacceptable risks. EmpowerID's risk engine supports both preventive and detective Segregation of Duties (SOD) simulation and validation.EmpowerID provides various features to streamline the process.
Prevention of Violation
Risk management controls are typically classified as either Preventative or Detective. Preventative controls involve real-time checks when access is requested or assigned to determine if the assignments breach any risk policies. EmpowerID uses preventive controls to enable users requesting access to a resource in the IAM Shop to see any risk policy violations their access request might cause before submitting it. In such cases, users must acknowledge the violations to continue with the access request.
When violations like those mentioned above are identified and submitted for approval, the requests undergo an additional layer of approval by risk owners. These risk owners can either accept the risk and implement mitigating controls or reject the risk and deny the access assignment. Preventative controls are more accessible to implement, as the risk engine focuses on a smaller data set derived from newly assigned items and the recipient's current access.
Detection & Mitigation
Detective controls are more data and processing-intensive for the risk management system. Every day, thousands of access and attribute changes can occur across hundreds of an organization's on-premise or cloud systems outside the control of the risk management system. These changes often produce ripple effects, leading to larger changes driven by inherited policies and users' lifecycle events, resulting in the readjustment of their access. Therefore, new risk violations must be "detected" by the engine, which is only possible by continuously reanalyzing all the access, attribute, and entitlement data collected from external systems. EmpowerID adopts a big data approach to this complex challenge, boiling down the net results of all these access assignments to detect violations obtained even through multiple disconnected inheritance hierarchies and dynamic policies. The EmpowerID engine also captures a complete picture of how the user triggers the violation and the roles or entitlements from which they receive the Segregated Business Functions.
Whether detected by preventative or detective risk controls, violations of risk policies must be routed to risk owners, who must decide whether to allow the user to obtain or keep the offending access. If EmpowerID discovers users violating the risk rules for a local risk (they have one or more risk functions defined by the local risk), it flags the violations. It sends them to risk owners for approval, mitigation, or remediation. Risk violations are logged and tracked, alerting risk owners of pending violations awaiting their decision. Risk owners can analyze all aspects of how the risky access was obtained and decide whether to allow the risk and add optional mitigating controls or opt for the violation to be corrected and the risky access removed.
Record and Reporting
EmpowerID is an excellent platform for detecting and documenting all types of risk violations. It meticulously captures the actions taken in response to each incident and maintains a comprehensive history, including detailed records of mitigation controls. This approach guarantees the timely and effective management of risks within an organization. Users can easily export these records for various purposes, ensuring flexibility in utilization.
EmpowerID also features a risk dashboard that consolidates and presents critical information in a user-friendly format. This dashboard enables organizations to quickly comprehend major risk factors and make informed decisions to strengthen their overall risk management strategies.