PingOne Advanced Identity Cloud

Key considerations

To get started with Identity Governance, evaluate several key areas to ensure a successful implementation. A successful strategy involves defining your goals, understanding your environment, and planning for automation and continuous improvement.

As you begin your identity governance journey, assess the following considerations:

  1. Define your Identity Governance objectives

    Before you implement any governance process, ask these questions:

    • Are you aiming for regulatory compliance, such as GDPR, HIPAA, or SOX?

    • Is security your top concern, such as reducing over-privileged accounts or preventing insider threats?

    • Do you want to automate onboarding and offboarding for more efficient operations?

    • Do you want to achieve all of the above?

  2. Inventory your identities and resources

    Create a complete and accurate inventory of all identities and resources in your environment:

    • Determine if you are using governance for the whole company or for specific organizations.

    • Determine all users, including full-time employees, contractors, and service accounts.

    • Determine all external users, such as suppliers and partners.

    • Identify which applications, systems, and resources these identities can access and the permissions they have.

  3. Plan integrations with authoritative sources and target systems

    Determine how to connect IGA with your data sources:

    • Determine your authoritative applications and how to connect to them.

    • Determine your target applications and systems, including cloud and on-premises systems.

    • Plan for data imports and syncing between systems, and determine if the data flow is one-way or two-way.

    • Determine and assign your application owners, who are users that manage access to applications and their entitlements.

  4. Use roles to define entitlements

    Group permissions using roles instead of managing individual entitlements:

    • Determine roles based on job functions, such as for managers, contractors, or support personnel.

    • Consider how to map entitlements within each application.

    • Define which systems and permissions each role should have.

    • Identify sensitive roles that require special permissions.

    • Assign entitlement owners to manage access to specific entitlements.

    • Assign role owners to manage access to specific roles.

  5. Automate processes with workflows

    Use workflows to automate identity lifecycle events and other business processes. A workflow is an automated series of steps that executes a business process from start to finish. In IGA, you can use workflows to automate identity-related tasks that would otherwise be manual and time-consuming.

    • New employees: Determine how to provision accounts and assign access when someone joins your company.

    • Job changes: Consider how to adjust access when employees change job roles within the company to ensure they get the required permissions and lose access privileges they no longer need.

    • Employee turnover: Plan how to revoke all access when someone leaves the company to minimize security risks.

  6. Implement self-service access requests and approval workflows

    Enable users to request new access through a self-service portal that has controlled approval workflows:

    • Build a self-service portal where users can request access to applications, roles, or entitlements.

    • Create online forms for users to submit access requests, and build dynamic and interactive forms that respond to user input in real time.

    • Route access requests to the appropriate approvers, such as managers, application owners, and entitlement owners.

    • Capture an audit trail of every request, approval, and denial.

  7. Conduct access certification campaigns

    Conduct access review certification campaigns at regular intervals:

    • Assign certifiers, such as managers, application owners, role owners, or entitlement owners.

    • Require certifiers to determine whether each user still needs their assigned access.

    • Automate the revocation of access that is no longer needed.

    • Escalate incomplete certifications by forwarding them to the appropriate reviewers.

  8. Define and configure policies and controls

    Define rules that monitor or block risky access:

    • Separation of Duties (SoD): Your policies should ensure that no single individual can grant entitlements or roles to another user that could result in a conflict of interest or fraud, such as payroll and payroll auditing.

    • Least privilege: Your policies should ensure that users have only the minimum access privileges required to do their jobs.

    • Bad combinations: Identify dangerous combinations of permissions across systems that could lead to security breaches.

  9. Establish reporting, metrics, and audit readiness

    Provide visibility into governance activities with dashboards and reports:

    • Monitor dashboards that show who has access to what, who granted access, and whether anyone reviewed the access.

    • Create reports to track governance activities.

    • Maintain a record of all access approvals, revocations, escalations, and policy violations.

    • Generate audit reports when required.

  10. Plan for continuous improvement

    A key consideration is to recognize that identity governance is a long-term ongoing process, not a one-time project:

    • Determine when to review your entitlements, roles, policies, and integrations throughout the year.

    • Determine how to adapt to organizational changes, such as promotions, mergers, and layoffs.

    • Consider how to adjust processes based on feedback from stakeholders, such as end users, managers, and auditors.