ManualsPro opentext openText NetIQ Identity Governance and Administration User Guide

openText NetIQ Identity Governance and Administration User Guide

June 16, 2024
opentext

openText NetIQ Identity Governance and Administration

Product Information

The Identity Governance and Administration (IGA) solution by NetIQ is a comprehensive system that merges identity lifecycle management and access governance. It helps organizations manage entitlements for employees and contractors efficiently, ensuring secure access to various systems and services.

Specifications:

  • Vendor: NetIQ by OpenTextTM
  • Features: Identity lifecycle management, access governance, automation, permissions governance.
  • Special Features: Empowerment of business owners, comprehensive digital asset catalogue.

Product Usage Instructions

Understanding Identity Governance Challenges:
Begin by recognizing the challenges your organization faces in managing entitlements for employees and contractors. Identify the need for effective access governance and automation to streamline processes.

Implementing the IGA Solution:
Install and configure the NetIQ IGA solution according to the provided guidelines. Ensure that all relevant stakeholders are involved in the implementation process.

Empowering Business Owners:
Enable business owners to participate in mapping their business processes to governance policies. Provide them with relevant information to make informed entitlement decisions.

Assessing Access Governance Capabilities:
Regularly assess your access governance capabilities using the comprehensive digital asset catalog provided by the IGA solution. Review results to identify areas for improvement.

Addressing Governance Gaps:
Focus on areas of weakness identified by lower scores in your access governance assessments. Take necessary steps to strengthen governance capabilities and address any gaps.

FAQ:

  • Q: How can I measure my organization’s access governance capabilities?
    A: Use the comprehensive digital asset catalog provided by the IGA solution to assess your environment and identify potential risks.

  • Q: What should I do if my organization is at risk according to the assessment?
    A: Consider implementing an Identity Governance and Administration solution from a trusted vendor to enhance security and mitigate risks.

Beginning as a necessity to simply provision new employees into various foundational systems, IT is finding it increasingly difficult to manage entitlements for a growing list of services needed by employees and contractors to do their job.

  • Evolving identity governance to the next level requires that you empower your business owners to participate in mapping their business processes to governance policies.

Adding to this are escalating risks from an increasingly connected world and maturing privacy regulations. Not only has virtually all information become digital, but it is also usually cloud-based. Altogether, this digital transformation has created an identity and access sea change: the perfect storm of connected systems holding sensitive digital data in a world of rising breach costs and regulations. It is in this context that organizations have placed a new emphasis on automating permissions management and transitioning control of it to the information and business owners.

Digital Transformation Security Complexities

NetIQ Identity Governance and Administration by OpenText™ is the merging of identity life cycle management and access governance. And while automation remains a foundational approach to identity management, there is also a need to be more effective in permissions governance and attesting to its execution. So, while the categories in the list below aren’t new, the level of complexity is:

  • The number of services: The number of services requiring coordinated permissions management continues to multiply. Despite the promise of federation technologies, even newly developed services typically implement their own copy of an identity store for authentication and authorization. This design matters because digital transformation continues to proliferate the number of digital services and resources needed for each employee to do their job.

  • Location of services: The move away from intranets as the predominant host of services has reached a mainstream level. This means that most organizations have a hybrid digital infrastructure consisting of a mix of cloud and proprietary services. It is this diminished role of firewalls that makes timely permission updates critical—and the failure to do so, perilous. So much so that manual administration of them is increasingly unviable, both in terms of invoking permission updates in a timely matter and the growing consequence of human error.
    Section 3.1 of NIST Special Publication 800-171 offers guideline of defining your access control criteria.

  • Compliance: Organizations continue their struggle to enable a more efficient workforce and develop more engaging services for their consumers, while staying compliant with the regulated information that they hold. Digital transformation has made gathering and assembling the information required to attest compliance a progressively unwieldy exercise. The sheer size and complexity of distributed services and resources have pushed audit preparations beyond a spreadsheet exercise. Beyond the complexity of an audit, breach of regulated data often results in rigorous vetting to ensure that compliance is continual.

  • Risk and least privilege: Managing business exposure extends beyond the risk of failing an audit; it includes the fallout of an actual breach. Beyond the consequences imposed by a regulatory agency, the financial hit from lost consumer trust can be sizable, or even fatal, to executive management. One of the best tools for protecting sensitive information is to be disciplined in applying least-privilege security principles—meaning, only those who need access to sensitive information have it. And, if or when that need goes away (for example, a role change), access goes away with it. And while least privilege is one of the most effective ways to limit the damage of a breach, it is next to impossible for most organizations to practice it without automation.

To meet these challenges, organizations are bringing in business-related insights to deliver effective entitlement decisions, automate their enforcement, and attest to its execution.

Responding to the Latest Access Trends

While digital transformation has enabled remote workers to be more productive, the COVID-19 pandemic pushed IT teams to expand their remote strategy and speed up their implementations. Not just internally, but also consumer-facing services and interactions. Allowing the access of so much sensitive information to remote users on BYODs in such divergent circumstances requires a new paradigm of security principles and approaches, including entitlement management.

Measuring Your Access Governance Capabilities

As you evaluate the maturity of your access governance infrastructure, take a moment to assess the levels of risk that your sensitive resources pose to your organization. It’s quite possible that your IT or Security teams have risk assessment artifacts that list the vulnerabilities (predisposition and severity), as well as the potential range of impact from improper access (malicious or otherwise) to those resources. The more concrete your understanding of the threat landscape that your digital resources pose to you, the more accurate your ratings to the questions below will be.
Accurate risk assessment is dependent on a comprehensive digital asset catalog.

Assessing the Results
Now that you’ve done your best to measure your access governance capabilities, review the breakdowns below to see where your organization fits. Of course, these generalized descriptions don’t take into account the industry that your organization is in; nor is it a direct indicator of whether you will be subject to a fine.

Assessing Your Environment

Addressing Your Governance Gaps

In addition to measuring your overall identity governance score against the table above, you can also focus on areas of weakness, as identified by the rows with your lower scores. This section further explains the extent of these capabilities.

Developing Least Privilege Principles and Policies
Beyond the technology itself, the strength of an organization’s least privilege implementation depends on its approach to defining it. Least privilege should be designed and configured based on how the business owners view their risk and the posture they want to take to protect against it. These questions are important because they form the basis for management taking action and investing in a solution to implement their business and security goals. Measuring risk can be divided into two broad categories:

  • What vulnerabilities does your sensitive information pose to you and how do they match current breach trends?
  • When a breach happens, what are the predicted costs to your organization for each of the data profiles you are protecting?
    Before you can empower your business owners to make the right entitlement decisions, you must present them relevant information in a way that they can quickly digest it.

From this foundation of measured risk, an organization should define its philosophy and corresponding least-privilege processes, outlining how aggressively they want to apply it. To do this means it must first be measured. Step 1 is for the responsible business owners
to determine the risk that each of the different types of resources poses to them and the restrictions or conditions that must be met before granting access. Examples of account types or roles include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Conditions of access beyond just permissions are things such as time of day, day of the week, point of origin, or device familiarity.

Effectively Applying Your Least Privilege Processes
In order for your access governance solution to be effective, it needs the flexibility to protect all of your sensitive resources. Typically, this goes beyond data accessed through services and your unstructured data (Doc, XLS, HTML, CSV, JPG, etc.). Proper coverage is more than casting a wide net; it also requires granularity to enforce the specific policy in place. So, in addition to importing identity information, you need the flexibility to manipulate permissions and possibly set the context (device, place, time, etc.) that controls when those permissions can be executed.
Beyond robust automation, your organization needs to monitor your protected information from these perspectives:

  • Employing a dedicated monitoring solution to watch for when specific resources are accessed and by whom.
  • Monitoring context and behavior to potentially respond if a risk threshold is exceeded.
  • Ensuring that all monitoring capabilities clearly and reliably associate a session with an identity.

Workflows That Work
To assess your permission workflows, you need to evaluate the user experience and the reach of governance across your organization’s resources. You know that you have a well-implemented permissions workflow solution when it is easy for your users to request and gain access to the resources they need. At the same time, resource owners are still able to protect them. The main vulnerability in this scenario is the proliferation of granted permissions—that is, extending them beyond their desired level. In short, you are maintaining an environment where only the right people have access to the right resources, while keeping the organization both efficient and secure.
Not only are workflows essential to automating permissions management, but they also offer an opportunity for you to present the right set of information to the asset owner at the exact time he needs to make an entitlement decision.
Here are some key areas to focus on:

  • Encompassing governance: The more complete your governance implementation, the less often users will have to go outside of it to gain access. Ideally, all resources that require special permission to gain access should be managed through your governance solution. Conversely, when users are forced to go outside of an automated request system, it is more hassle for them and less secure for the organization.
  • Simplicity for the requester: The workflow tool needs to be easy to find, simple to use, and accessible when and where the requester needs it—which usually means anytime on any device. Once they are in the tool, the list of resources needs to be easy to find and granular enough that requests are limited to only what is required.
  • Effective approver: Core to this requirement is bringing together all of the information needed for a business-level approver to make the best permissions decision and do it quickly. The critical element is to present the relevant information in such a way that a business owner can promptly understand what access is needed and the level of risk it imposes. A key objective is to protect against approval rubber stamping and to make a judgment based on:
    • Does the requestor merit the access?
    • What is the total risk involved by granting access?

Managing Separation of Duties across Your Organization
Because most organizations run lean, it’s not uncommon for employees or contractors to wear many hats, covering a diverse set of responsibilities. In these environments ensuring separation of duties (SoD) for security, and often ompliance, can be elusive. NIST summarizes security intent as “separate the duties of individuals to reduce the risk of malevolent activity.” For digital services, common collusion risks are responsibilities such as configuration management, quality assurance, testing, system management, programming, network security, etc. Other standard SoD implementations are used to enforce policies designed to mitigate against the risk of fraud and made possible through collusion.
Because SoD violations can span systems and application domains, effective implementation needs to measure the entirety of organizational systems and system components. So, when approvers are “in the trenches,” they need the right information to ask the right questions and identify a change that hasn’t been properly vetted. And beyond implementing SoD as a security best practice, organizations that interact with financial services have Sarbanes Oxley Act (SOX) compliance requirements that make it even more crucial to get it right. The three most common SoD scenarios that organizations need a robust solution for include:

  • Requester/approver workflows: While rubber-stamping permissions approval is a general security issue, providing SoD-related information in an easily digestible format for quick decisions is paramount.
  • SoD Reviews: Organizations should have regular SoD reviews to protect themselves from various threats from over-privileged users. With the right tool, this review can be a quick process.
  • SOX Audits: Too often, generating reports attesting to compliance is an arduous process, the worst-case scenario being that you have a find. With the proper foundation in place, audits can be essentially a reporting process.

Not only are workflows essential to automating permissions management, but they also offer an opportunity for you to present the right set of information to the asset owner at the exact time he needs to make an entitlement decision.

Maintaining Permissions Integrity
Having the most tuned environment (least privilege without reducing efficiency) requires active and competent participation by the information owners themselves, including periodic access reviews. For the best chance of ferreting out excessive rights, information owners need access to a simple and informational tool. We need to acknowledge that permissions management isn’t high on the information owner’s priority list, so the faster and less painful access reviews are, the more likely they will be a worthwhile security practice. The broadest set of governance data (such as applications and services, employees or their status, risk threshold, etc.) needs to be searchable. In addition to making it easier to stay on top of permissions management, providing training on the risks of excessive rights for both information compromises and audit finds is equally valuable. Placing the white light on your most significant risks: The best use of data owners’ time is to draw their attention first to the accounts or permission sets that create the highest risk scenario. Bringing that information to the forefront and presenting it in a way that is easy to understand allows the highest risk configurations to receive the most attention.

Separation of duties is more than a regulatory compliance requirement, it’s a core tool for you to prevent fraud and other behaviors that could harm your organization.

Quick drilldowns: Before you can offer drilldowns to information owners, you need a comprehensive entitlement repository from which everyone’s access to everything is searchable and manageable. Common types of operations that should be offered include:

  • An entitlements catalog from which security teams and owners can search for and manage collections, groups, permissions, and other attributes.
  • Business roles search and view capability—manage birthright permissions gained from the role, as well as searchable roles to find the entitlement sources.

Management consoles should be customizable to allow for specialized views and management of accounts and permissions.

Compliance and Attestation
The following organizational objectives typically drive governance attestation exercises:

  • • Self-audit conducted either within a department or across the entire organization. These audits are used to measure the effectiveness of current security policies and processes.
    • Internal attestation exercises conducted as part of a risk management initiative to assure a partner or customer that your organization meets specific security criteria or levels.
    • External audits conducted by a regulatory agency, such as those found in the financial or health industries, to verify compliance with government mandates such as PCI, HIPAA, SOX, GDPR. Because audit finds at this level might result in a fine, these external audits tend to drive the internal ones.

Micro-certifications are used to strengthen your confidence in the attestation. The micro-certifications approach is to continually monitor for any permission changes for the protected resources and verify on the fly that those changes comply with defining criteria. For confidence in the added security of micro- certifications, you need an implementation that monitors for out-of-band modifications made outside of the governance platform. Administrators are alerted to investigate the permissions change whenever a change is identified.

Ideally, reporting is simply a snapshot of permissions status controlled from a central point of the administration dashboard. Different industries each have their specific set of report requirements; the best option
is a solution that offers a variety of pre-built reports that can be customized.

Choosing the Right Information Governance and Access Solution

OpenText’s full platform approach offers some notable advantages to organizations as they strive to reach their identity and access objectives. Far lighter than the big enterprise solutions, OpenText™ has always enabled IT teams to be more nimble in their approach to identity management. At the same time, OpenText offers a more encompassing portfolio than the point vendors, with products that work well together. For example, you can feed NetIQ’s Identity Governance by OpenText™ risk information into the NetIQ Risk Service by OpenText™ to include the inherent risk of both resources and users as data is being accessed. This integration offers far greater risk assessment fidelity than any other solution in the market, as well as the ability to automate a response to protect the organization being threatened.

Micro certifications gives you an added level of confidence in your attestation submissions.

Identity and Insight
The same can be said for using NetIQ products by OpenText to achieve your organization’s NIST identity governance goals. For example, NetIQ Identity Governance is greatly enhanced by NetIQ Identity Manager’s event-based connectors that interact with the identity stores in a publish/subscribe model. This model allows NetIQ Identity Manager to enforce governance policies more forcefully than is possible in competitive solutions. Even for identity stores not integrated directly through NetIQ Identity Manager, access information from NetIQ Access Manager by OpenText™ can be used to kick off an automated micro-certification to verify that the correct level of permissions is in force.

Developing the Best Least Privilege Model
As with any organization-wide implementation, successful development of a valid and comprehensive foundation of permission policies is heavily dependent on commitment from management at the top. It takes their sponsorship and prioritization to get the required information and business owners to participate and focus on evaluating the services they provide, in order to organize and define access criteria. Your team’s first step is to use the NetIQ Identity Governance definition template to create application entities that will enable you to collect application and resource information. Then you can arrange the consumers into logical entities in the form of roles. After this phase, your stakeholders can use this information to define business roles and then then rules that control permissions for each resource.

RAISING THE EFFECTIVENESS OF YOUR ROLES
Well-defined roles have the potential to simplify risk and compliance assessment for the governed environment because they define what the standard allocation of permissions is. NetIQ Identity Governance simplifies what can quickly become an overwhelming task by filtering down to only your relevant information for identifying people within the same business function. This information can be used to determine the baseline of what users should have access to and whether they can request that access without additional approval. NetIQ Identity Governance does this by consolidating relevant information through role-mining tools that enable you to define a more capable model. With this model you can see across your entire organization and identify where people have relevant similarities:

  • After you have collected the information into NetIQ Identity Governance, you can do searches of what you have: similar attributes, similar location, similar department.
  • Within NetIQ Identity Governance, you can adjust the different parameters that are assessed and use that information to refine your policies.

FINISHING TOUCHES ON GATHERING ENTITLEMENT INFORMATION
With that groundwork in place, you can complete your picture of who needs access to what and measure the associated risk. The result of all this work is being able to conduct successful certifications. NetIQ Identity Governance helps you assemble a least privilege foundation by:

  • Automating the collection and validation of account information (identity, group, application, and permissions) across your environment.
  • Collecting and updating policies that control access to these resources.
  • Calculating risk.

As your roles are tuned over time, your baseline could reach a point where accounts within those roles are granted permissions without having to make any type of requests, reducing the burden on your supervisors and approvers. In addition to this reduced overhead, a fine-tuned baseline will keep costs and risks down for your governed services.

Automating Requests, Approvals, Reviews
With entitlement management foundation in place, NetIQ Identity Governance provides automated request and approval workflows:

  • Requesters are offered a familiar user experience similar to online shopping, where they add desired services to a shopping cart and send off the request for access.
  • Along with the request, approvers can be presented with a business case that includes the cost and potential risk criteria to help them make an educated decision.
  • If needed, requests can then be passed on to the next level.

Beyond NetIQ Identity Governance’s robust automation, it enables you to monitor protected information from these perspectives:

  • See who accesses specific resources and when.
  • Monitor context and behavior to potentially respond if a risk threshold is exceeded.
  • Ensure that all monitoring capabilities clearly and reliably associate a session with an identity.

You have now reached a point where you can account for users who are granted access outside of that structure. These one-offs often need to be brought to the attention of the information stakeholders (owner and security team) and incorporated into NetIQ Identity Governance. With relevant information about the account and resources at their fingertips, approvers and reviewers have what they need to make the right decision.

Micro-Certifications
Once all relevant information has been onboarded into your governance environment and permission flows are automated, you still need the ability to react to out-of-bounds risks. These are situations that fall outside of the criteria accepted by the organization. This assessment check happens through permission checks called micro-certifications. One type of check is on a specific person, measuring permissions across the entire digital landscape. It’s not uncommon for a periodic process to be kicked off for each account, highlighting permissions to resources that have never been accessed or that haven’t been accessed for a defined period. Increasingly, these processes are being used to drive down the costs of specified account-based licenses. The other type of micro-certification targets a specific resource, one that is sensitive and deserves close inspection. This type of micro-certification is often initiated in these ways:

  • As a routine designed as a layer of protection for highly sensitive data.
  • When a permissions trigger is kicked off, indicating that excessive permissions have been allocated for a digital resource.
  • In response to an alert or a report of unexpected actual access to the access management architecture.

Micro-certifications are a specialized process intended to limit an audit to specific criteria. OpenText enables you to automate this process to a focus area that kicked off the event. This ability to receive an event notice and quickly react with a specialized audit can be a powerful tool for increasing security and keeping costs down. For NetIQ Identity Governance, this process inherits reviewer assignments and settings from the specified review definition. You can run a micro-certification for any review type. If it is part of your standard security practices, OpenText enables you to run multiple certifications in parallel, either on-demand or with a preset schedule. By incorporating NetIQ by OpenText™’s micro-certification into your security processes, you establish greater protections against the consequences of a breach, as well as an audit find from a regulator agency. In contrast, manual certification processes are time-consuming and labor-intensive, making them impractical. Without automation, your security teams will be subject to certification fatigue. Instead, automation enables you to maintain your security edge.

About NetIQ by OpenText

NetIQ provides security solutions that help organizations with workforce and consumer identity and access management at the enterprise scale. By providing secure access, effective governance, scalable automation, and actionable insight, OpenText customers can achieve greater confidence in their IT security posture across cloud, mobile, and data platforms.
Visit the NetIQ by OpenText page at www.cyberres.com/netiq to learn more. Watch video demos on our NetIQ Unplugged YouTube channel at www.youtube.com/c/NetIQUnplugged.
NetIQ is part of Cybersecurity, an OpenText line of business.

Connect with Us www.opentext.com

OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes. From prevention, detection and response to recovery, investigation and compliance, our unified end-to-end platform helps customers build cyber resilience via a holistic security portfolio. Powered by actionable insights from our real-time and contextual threat intelligence, OpenText Cybersecurity customers benefit from high efficacy products, a compliant experience and simplified security to help manage business risk.
762-000074-005 | O | 01/24 | © 2024 Open Text

References

Read User Manual Online (PDF format)

Loading......

Download This Manual (PDF format)

Download this manual  >>

opentext User Manuals

opentext IM Progressive Handovers Instructions
opentext
opentext ArcSight Intelligence with Microsoft Defender for Endpoint User Guide
opentext
opentext 16 Voltage Secure Data User Guide
opentext
OpenText 24677 Digital Friction Holds Back Today’s Business White Paper User Guide
opentext
OpenText Insurance Industry Insider Software User Guide
opentext
opentext TD4 Forensic Duplicator User Guide
opentext
opentext Tableau Forensic T6u SAS Bridge User Guide
opentext
opentext Intelligent Capture for SAP Solutions User Guide
opentext
opentext TD2u Tableau Forensic Duplicator User Guide
opentext
opentext EnCase Forensic Software User Guide
opentext
opentext TC2-8-R2 Tableau Forensic Universal Bridge User Guide
opentext
opentext Recon Investigations Software User Guide
opentext
opentext Core Case Management Software User Guide
opentext
opentext Tag Cyber Managed Detection and Response Software Instructions
opentext
opentext Tag Cyber Digital Forensics Law Enforcement Software Instructions
opentext
openText 25127 Core for SAP Success Factors User Guide
opentext
opentext Tableau Forensic T35u/T35u-RW SATA/IDE Bridge User Guide
opentext
opentext TX1 Tableau Forensic Imager User Guide
opentext
opentext T7U Tableau Forensic PCIe Bridge User Guide
opentext
opentext T8U Tableau Forensic USB Bridge User Guide
opentext

Related Manuals

8BitDo SN30 Pro Bluetooth Controller for Android Instruction Manual
8Bitdo
one LIGHT 67352 Lamp with Soft Brass User Manual
one LIGHT
NAKTO BIKE Folding OX Electric Bike User Manual
NAKTO BIKE
Acuity Brands 247CL LED Full Cutoff American Revolution LED Post-top Lantern Instruction Manual
Acuity Brands
PHCC DVSA-DF Pump Alternator System Instruction Manual
PHCC
SONY CFI-ZWA2 Play Station Link USB Adapter Instructions
Sony
Caiwei B0CGZ4M4JC Smart LED 4K Projector Daylight HDR WiFi Bluetooth User Guide
CAIWEI
SEVEN PS-435 Portable Speaker System with Bluetooth and FM Radio User Manual
SEVEN
AQUALUX AQL-400 Spike Spot Light Instruction Manual
AQUALUX
DIRECTV error code 764
DirecTV
Mei Zhou Jotenfe Electronic Technology DG2610 Dongle User Guide
Mei Zhou Jotenfe Electronic Technology
Lenovo TIO24Gen5 Desktop Monitor User Guide
Lenovo
BD SENSORS DX14-DMK 351 Pressure Transmitters User Manual
BD SENSORS
Jabra ELITE 10 Advanced Earbuds User Manual
Jabra
Togo POWER ADVANCE500 Portable Power Station User Manual
Togo POWER
Antari HZ-100 Haze Machine User Manual
Antari
SIKVIO R8 4K HD Spy Wireless Hidden Camera User Manual
SIKVIO
KLEIN TOOLS ET250 Digital AC-DC Voltage and Continuity Tester Instruction Manual
KLEIN TOOLS
COOKE LEWIS CLFSMW20LUKa 800W Freestanding Microwave Oven Instruction Manual
COOKE LEWIS
SENCOR SDB 5007T Receiver User Manual
SENCOR
APERA YD300 Portable Water Hardness Meter Instruction Manual
APERA
SDHQ-53-1160-G3 Windshield Wiper Bottle Relocation Instruction Manual
SDHQ
BRISTAN SAF ES BAS BLK Saffron Black Eco Start Basin Mixer Instruction Manual
BRISTAN
KARCHER CV 38-2 Vacuum Cleaner User Manual
Karcher
PHILIPS BR Series Essential Pendant Mount Large Instruction Manual
Philips
S R Smith River Run Slide Instruction Manual
S R Smith
MAKE NOISE Soundhack Spiratonr Monstrous Machine User Guide
MAKE NOISE
BEGA 50813.2 Recessed Ceiling Luminaire Instruction Manual
BEGA
fri-jado TDR 7 Programmable Gas Rotisserie Owner’s Manual
fri-jado
KWM_WMF_0001.01 Kult X 500 W Stainless Steel Juicer Instruction Manual
WMF
Contact Us   Privacy Policy   14.25ms