The Reconciliation Process: Add additional layer of security to your Identity Governance

Published by IDVKM on

Role Mining

The Reconciliation Process: Add additional layer of security to your Identity Governance

The Reconciliation Process

Motivation

Implementing an Identity Governance solution is a very good way to manage the authorizations that users have in the target systems of an enterprise. Keeping in mind the principles of least privilege and need to know we can safely assume that the authorization processes contribute to security, since we provision only these entitlements which the user currently needs. 

Or can we assume that? 

Unfortunately, not! 

To a very large extent, the possibility of system administrators to manually add or remove entitlements cannot be removed. 

So, what do we do to ensure that doesn’t happen?

Reconciliation is the process of comparing the entitlements of a system from two perspectives:

  • what should the state of entitlements be according to the Identity Management System
  • what is the actual current state of entitlements in the target system

Before designing the reconciliation process, we must keep two very important rules in mind.

1. Single source of truth – In the whole IT ecosystem of an enterprise, for each piece of information there is only one IT system which contain the most up-to-date information about it and all other IT systems must get this information directly or indirectly from it. For this particular piece of information this IT system is called a Leading System.

2. Identity Management Systems are a broker of information and never a leading system.

As a simple example we can get the first and the last name of an employee. These are generally stored in the HR system and all other systems should get their information from there. If a value changes (e.g. family name is changed because of marriage), then we will have conflicting information for a short time. The HR system would have new value, and some other systems would have the old one. Since the HR system is the leading system for this piece of information, the HR value should be propagated to the other systems (and especially to the Identity Management one)

Best practices

1. Flow of information. As mentioned before, we must be very clear about which data the IT system is the leading system for. In general, we can distinguish four cases: 

  • For the particular data, the IT system is a Leading System, and the data matches both in the Identity Management system and the IT system

! No action needed, correct behaviour.

  • For the particular data, the IT system is a Leading System, and the data doesn’t match

Here there are two possibilities:

Works as designed – The synchronization process had not yet run (depending on how often we synchronize with system). After the next synchronization process, the data will match again.

Synchronization process not working – The synchronization process should have run, but the changes are not there. In this case the process might have an error and should be examined.

  • For the particular data, the IT system is not a Leading System, and the data matches both in the Identity Management system and the IT system.

No action needed, correct behaviour.

  • For the particular data, the IT system is not a Leading System, and the data doesn’t match.

Here there are three possibilities:

Works as designed – The synchronization process hat not yet run (depending on how often we synchronize with system). After the next synchronization process, the data will match again.

Synchronization process not working – The synchronization process should have run, but the changes are not there. In this case the process might have an error and should be examined.

There was a manual operation in the IT System, which added or removed entitlements. This is a potential security incident and it should be investigated!

2. Frequency of the Reconciliation period.

Here we should make a trade of two factors:

  • How often do we synchronize with the IT system. It makes no sense to reconcile more often than we synchronize, because we are going to get a lot of false positives
  • Criticality of the IT system. The more critical the system is, the more often. reconciliation should take place. Be aware that could lead to a customized expensive process and performance problems.

3. Criticality of the Data itself.

It is not necessary to reconcile the whole dataset. We can choose more critical data and reconcile it more often.

Check out also: The Mover Process – How to Transition Employees Smoothly

Conclusion

Modern IGA systems support synchronization and reconciliation very well. However, we must come with a good strategy for each systems in order to get maximal security with a minimal effort. 

Need advice to do that? 

Contact us and we will help! 

Categories: Tech blog
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Role Mining
Tech blog

Role Mining- how can it help us and what are the downsides 

In any organization, employees often transition between roles, teams, or departments as they grow in their careers or adapt to business needs. These transitions, while essential for growth and adaptability, present unique challenges for IT and HR teams. Managing these changes effectively requires careful handling of access rights, permissions, and system privileges.

The Mover Process
Tech blog

The Mover Process – How to Transition Employees Smoothly

In any organization, employees often transition between roles, teams, or departments as they grow in their careers or adapt to business needs. These transitions, while essential for growth and adaptability, present unique challenges for IT and HR teams. Managing these changes effectively requires careful handling of access rights, permissions, and system privileges.

DORA
Tech blog

Navigating DORA – a Guide to operational resilience for financial institutions  

Coming into effect on January 17, 2025, DORA aims to improve risk management practices and safeguard critical financial operations, ensuring stability in an increasingly digitalized environment.