Risk management in today's business environment involves systematically identifying, assessing, and controlling threats to a company's IT resources. The ultimate goal is to ensure businesses operate smoothly and maintain compliant access to their systems.
What is Compliant Access?
Compliant access minimizes potential risks associated with granting access to company resources, such as computer systems, applications, and software. It ensures that access is aligned with an employee’s role and adheres to regulatory rules, industry standards, and company policies. This approach defines what is considered acceptable, risky, or non-compliant regarding access rights.
Challenges with Traditional Risk Management
Traditionally, enterprises face significant challenges in managing risks spread across multiple cloud and on-premise systems. This complexity is often exacerbated by overlapping system access. To effectively manage these risks, companies must deeply understand the permissions model for every application they use to prevent excessive access that increases risk. EmpowerID offers a solution with its comprehensive Identity Governance and Administration (IGA) connector library, which integrates diverse permissions models, thereby reducing risk and enhancing control over system access.
EmpowerID’s Approach to Bridging Gaps
Despite the technical prowess of many IAM solutions, they often fail to link system entitlements to business processes in a user-friendly manner. For instance, in an SAP system, the entitlement to create a purchase order is represented by the TCode ME21N. While this is clear to application specialists, it may not be so to business users. EmpowerID addresses this gap by translating complex entitlements into easily understandable terms, thus enhancing both transparency and control.
EmpowerID Risk Management Strategy
EmpowerID recognizes that each organization has unique process definitions and policy needs. It tailors its risk management solutions to accommodate these characteristics, simplifying complex terminologies into plain language for business users while preserving the necessary technical details for IT professionals.
Integrating Business Models
Understanding that businesses operate through continuous processes to deliver products or services, EmpowerID breaks down these processes into smaller, manageable "business-defined activities." These activities are then mapped to specific rights and roles within the system, a practice known as "function mapping." This mapping clarifies roles and responsibilities and enhances visibility into potential risk areas.
Function Mapping and Risk Management
EmpowerID distinguishes between global functions—actions performable in multiple applications—and local functions—actions specific to a location or application. These functions are linked to global and local risks, respectively. Global risks might include actions like "Create Purchase Order," which are standardized across the organization. Local risks, however, are specific to actions within certain applications, like creating a purchase order in a specific SAP environment.
Understanding Risks
Organizations establish risk policies that help define critical or sensitive functions within their IT infrastructure and identify toxic combinations or Segregation of Duties (SOD) violations. These risks vary from users having access to high-risk functions unrelated to their daily tasks to having the ability to perform end-to-end functions within an application. Risks consist of risk rules, which are functions added to the risk; a risk must have at least one function for the risk engine to evaluate it, while SOD risks require a minimum of two functions—a risk function and a risk-segregated function.
Global and Local Risks
Global risks represent actions that users can perform in one or more applications considered potentially risky by an organization. For example, a global risk named "Create Purchase Order" would map to a global function named "Create Purchase Order," which returns all users with that function when compiled by the risk engine. Local risks pertain to actions performed within a specific application or location and are added to global risks to link broad policies to specific instances where they apply.
Risk Rules
Risk rules are the functions added to a risk. A risk can have multiple functions as required, but it must have at least one for the risk engine to calculate the rule. (SOD risks require a minimum of two – a risk function and a risk-segregated function.)
Risk Violations
EmpowerID's risk management controls are divided into Preventative and Detective controls. Preventative controls occur in real-time during access requests, helping users identify potential policy breaches before proceeding. Detective controls identify new risk violations by reanalyzing all access and attribute changes on a scheduled basis, ensuring comprehensive risk management coverage.
When violations like those depicted in Image 4 above are identified by the user and submitted for approval, requests marked as potential risk violations undergo an additional layer of approval by risk owners. These risk owners have the option to accept the risk and implement mitigating controls or reject the risk and deny the access assignment.
Risk Owner Decisions
Violations detected, whether through preventative or detective means, are routed to risk owners for decisions on whether the risky access should be allowed or denied. Risk owners analyze how the access was obtained and decide on potential mitigation or correction actions. This proactive approach ensures that all access within the organization adheres to established risk policies and maintains the security integrity of the IT environment.
Conclusion
EmpowerID's risk management approach combines detailed technical controls with simple, business-focused explanations. This ensures that enterprises can maintain strict access controls while increasing the understanding and management of these controls across all organizational levels. As businesses evolve and new threats emerge, leveraging EmpowerID's comprehensive risk management strategies will be crucial to protecting sensitive data and systems, ultimately promoting strong compliance and operational integrity.