Nov 30, 2011

How do you intelligently determine the identity governance policies/procedures for a growing company?

As my company grows, identity governance has changed from something that I rarely thought about to something that consumes more and more time. The guy that always needed to have his password reset was worth a chuckle when I delt with a few dozen employees. Now that the number has multiplied, little things like that aren't so funny and they add up to a noticeable waste of time. What have people making the transition to larger size found to be a workable approach to identity governance? Our current approach of my manually managing all those identities is becoming less and less attractive.


The more employees, the more necessary identity automation becomes.  Depending on your industry, there may be regulations such as HIPAA or Sarbanes-Oxley that force you to have a roust identity governance policy in order to be in compliance.  So determining whether your business falls under these or other laws, and what the law requires for compliance would be my first step in creating an identity governance policy.  Beyond that, some of it is common sense whether automated or not, such as purging accounts of former employees.  Identity governance is an automated process of controlling and managing user access to company data, so it is more than just the issuance and recovery of lost passwords.  In the end, the central purpose is to track identity related items that represent a risk of financial loss or damage to your company reputation.  There are plenty of vendors that can provide identity management tools, and it would probably make your life easier.  You have to be confident that the correct people have access to the appropriate system, and all identities are properly assigned and controlled.  

Hi RomanZ,

Here's an interesting article about identity governance and the issues related to it. I wish I could definitely answer your question. Alas, it's a bit outside of my experience. I hope you find the article useful though.

How identity governance solves the compliance challenges left by provisioning technology

There is also an interesting article on identity management systems on Wikipedia that you might find useful.

Identity management system

Answer this