About Risk Management
In a business environment, risk management means systematically identifying, assessing, and controlling threats that could negatively impact a company's IT resources. The ultimate goal is to keep your business running smoothly and ensure "compliant access."
Compliant access involves minimizing potential risks when granting access to company resources, such as computer systems, applications, and software, in line with set guidelines and policies. It means giving access that is appropriate to an employee's role based on company rules about risk. Regulatory rules, industry standards, and company procedures help define what is considered acceptable, risky, or non-compliant.
Challenges with Traditional Risk Management
Many businesses today struggle with managing enterprise risks spread across multiple cloud and on-premise systems. Overlapping system access often creates these risks. Therefore, companies need a deep understanding of the permissions model for every application they use to prevent users from having too much access and increasing risk. EmpowerID steps in to solve this problem with a comprehensive Identity Governance and Administration (IGA) connector library that integrates different permissions models, thereby lowering risk and enhancing understanding of system access.
However, many Identity and Access Management (IAM) solutions primarily focus on technical aspects of access control and lack a model that connects system entitlements to business processes in a user-friendly way. For example, take the creation of a purchase order in SAP. In this system, entitlements are represented by TCodes, with the TCode for creating a purchase order being ME21N. While application specialists may be familiar with the TCode's significance, numerous business users likely are not. EmpowerID's risk management approach aims to bridge this gap.
EmpowerID Risk Management Approach
EmpowerID acknowledges that each organization has a unique way of defining its processes and policies. Therefore, it offers a risk management solution that caters to this uniqueness, making it easier to understand for non-technical audiences while maintaining necessary technical detail for IT professionals.
Integrating your Business Model
EmpowerID understands that every business consists of processes performed continuously to deliver products or services. It simplifies complex technical terms into plain language for business users by breaking down these processes into smaller, "business-defined activities" that a person can perform.
Function Mapping
These "functions" are then mapped to specific rights and roles in a process, which is known as "function mapping." EmpowerID distinguishes between global functions (actions users can perform in multiple applications, such as “create groups”) and local functions (actions users can perform within a specific location, such as “create groups in Azure Tenant X). Function mapping links business users to global rights, roles, and specific entities or systems.
Understanding Risks
Organizations establish risk policies to define critical or sensitive functions within their IT infrastructure and identify toxic combinations or Segregation of Duties (SOD) violations. Risks can vary from users having access to high-risk functions unrelated to their daily tasks to users having the ability to perform end-to-end functions within an application. Risks consist of risk rules, which are the functions added to the risk. A risk can have multiple functions as needed, but it must have at least one for the risk engine to calculate the risk rules. (SOD risks require a minimum of two – a risk function and a risk-segregated function.) Risks can be both global and local.
Global Risks
Global risks represent actions that users can perform in one or more applications considered potentially risky by an organization. As a result, global risks map to global functions that define the specific rights and roles, granting users the ability to perform those actions. For example, a global risk named "Create Purchase Order" could be mapped to a global function – known as a risk function – also named "Create Purchase Order." When the risk engine compiles a global risk, it returns all users with the risk functions.
Local Risks
Local risks represent actions that users can perform within a specific location or application instance considered potentially risky by an organization. In EmpowerID, local risks are added to global risks to logically connect the generic actions specified by global risk policies to the actual entities, systems, and locations where users can perform them. An example of a local risk would be "Create Purchase Order in SAP Prod" mapped to a global risk named "Create Purchase Order." When the risk engine compiles a local risk, it returns all users with those risk functions as violations.
Risk Rules
Risk rules are the functions added to a risk. A risk can have multiple functions as required, but it must have at least one for the risk engine to calculate the risk rules. (SOD risks require a minimum of two – a risk function and a risk-segregated function.)
Risk Violations
Preventative Controls
Risk management controls are typically classified as either Preventative or Detective. Preventative controls involve real-time checks that take place when access is requested or assigned to determine if the assignments breach any risk policies. EmpowerID uses preventative controls to enable users requesting access to a resource in the IAM Shop to see any risk policy violations their access request might cause before submitting it. In such cases, users must acknowledge the violations to continue with the access request.
When violations like those mentioned above are identified and submitted for approval, the requests undergo an additional layer of approval by risk owners. These risk owners can either accept the risk and implement mitigating controls or reject the risk and deny the access assignment. Preventative controls are easier to implement, as the risk engine focuses on a smaller data set derived from newly assigned items and the recipient's current access.
Detective Controls
Detective controls are more data and processing-intensive for the risk management system. Every day, thousands of access and attribute changes can occur across hundreds of an organization's on-premise or cloud systems outside the control of the risk management system. These changes often produce ripple effects, leading to larger changes driven by inherited policies and users' lifecycle events, resulting in the readjustment of their access. Therefore, new risk violations must be "detected" by the engine, which is only possible by continuously reanalyzing all the access, attribute, and entitlement data collected from external systems. EmpowerID adopts a big data approach to this complex challenge, boiling down the net results of all these access assignments to detect violations obtained even through multiple disconnected inheritance hierarchies and dynamic policies. The EmpowerID engine also captures a complete picture of how the user triggers the violation and the roles or entitlements from which they receive the Segregated Business Functions.
Risk Owner Decisions
Whether detected by preventative or detective risk controls, violations of risk policies must be routed to risk owners, who must decide whether to allow the user to obtain or keep the offending access. If EmpowerID discovers users violating the risk rules for a local risk (they have one or more risk functions defined by the local risk), it flags the violations and sends them to risk owners for approval, mitigation, or remediation. Risk violations are logged and tracked, alerting risk owners of pending violations awaiting their decision. Risk owners can analyze all aspects of how the risky access was obtained and decide whether to allow the risk and add optional mitigating controls or opt for the violation to be corrected and the risky access removed.