What are the goals of an Access Consolidation Program?
Without goals your program cannot succeed.
How do you measure success in Access Consolidation?
There are many stated motivations for starting an Access Consolidation Project (sometimes referred to as an RBAC, ABAC, or FGA program, see our previous blog post titled "What is an Access Consolidation Program?" for more details) ranging from a desire to reduce the number of access requests, certification items, certification rubber stamping or simply meeting a higher level of maturity in an IAM implementation. Regardless of those stated objectives they're all achieved by crafting Access Consolidation Items that balance a number of sometimes contradictory objectives.
The value of any set of Access Consolidation items is generated by the amount of access it covers. Each piece of access covered is an item that doesn't need to be manually requested or certified on an identity-by-identity basis. To maximize the value of an Access Consolidation Program the items it produces should cover as many people as possible and as much of their access as possible.
Access Consolidation Items have maintenance costs. They need to be reviewed regularly and updated to align with changes to the access needs of the populations they serve and the toolsets that they use. This imposes a cost on the organizations that implement them that will endure as long as they're maintained. In order to make sure that the organization doesn't bear an unnecessary cost the coverage should be implemented in as few Access Consolidation items as possible. This may require an organization to make tradeoffs in terms of coverage, if a single role can cover 99% of the access that ten roles can cover, it's probably worth only building the single role.
The other cost of an Access Consolidation Program is the time it takes to implement it. The faster that Access Control Items can be created the less the effort will ultimately cost. We'll do a deeper dive into preparations that can be undertaken in advance of an Access Consolidation Program in a future post but broadly speaking the best ways to accomplish this are to align stakeholders within the organization on the need for an Access Consolidation Project, improve the data quality of the access items, specifically names and descriptions and finally reduce noise in the set of access data by conducting user access reviews prior to the start of an Access Consolidation Program.
The final objective that must be balanced with the above is that the Access Consolidation Program cannot undermine existing security and governance objectives. Access that was reviewed before on individual identities will still need to be reviewed as the composition of a role, FGA or ABAC assignment rule, whichever form that Access Consolidation Items take. The creation of the Access Consolidation Items will likewise need to be reviewed and approved by the same stakeholders that provide oversight of individuals access request and certifications.
Balancing these at times opposed objectives in order to achieve optimal outcomes requires a skillset and toolset that comes from the experience of leading multiple Access Consolidation Program. At Thornton Data Solutions we've lead over 25 (and counting) Access Consolidation Projects across industry verticals such as Banking, Healthcare, Insurance, Retail and Industrial. If your organization is ready to take the next step and reduce the costs of its IAM operations reach out to us to schedule a no cost initial consultation to figure out if an Access Consolidation Program is right for you.
