{"id":15724,"date":"2017-05-05T20:14:22","date_gmt":"2017-05-05T20:14:22","guid":{"rendered":"http:\/\/www.confluxsys.com\/confluxsys\/?p=15724"},"modified":"2017-05-06T06:30:06","modified_gmt":"2017-05-06T06:30:06","slug":"dormant-access-lifecycle-management","status":"publish","type":"post","link":"https:\/\/www.lastmile.id\/confluxsys\/blog\/dormant-access-lifecycle-management\/","title":{"rendered":"Dormant Access Lifecycle Management"},"content":{"rendered":"<p>Dormant access is a user access (account\/entitlement assignment) that has not been used recently for certain period of time. Time period after which an access is termed as &#8220;dormant&#8221; may be different for different application\/entitlement.<\/p>\n<p>Organizations, typically, attempt to govern dormant access by conducting access certifications without any context. Process becomes expensive and less effective &#8211; rubber stamping, limited context for decision making, time consuming etc. This is also one of the common audit finding.<\/p>\n<p>For business, it seems to be a simple problem: why can&#8217;t an automation detect, remediate or at minimum provide some context around access usage during certification!!<\/p>\n<p>There is a need to extract, collect and apply identity governance processes on <strong>time-of-use<\/strong> of an account and\/or entitlement assignment. For technology team, integration is the challenge, especially when there is no standard way to collect &#8220;time of use&#8221; data from the application.<\/p>\n<p><strong>Extraction and Collection<\/strong>: In most of the cases, extraction of time-of-use is application specific, information may be extracted from one of the following components:<\/p>\n<div class=\"slate-resizable-image-embed slate-image-embed__resize-full-width\" data-imgsrc=\"https:\/\/media.licdn.com\/mpr\/mpr\/AAEAAQAAAAAAAAyvAAAAJDkzMTk2MjkzLWExODgtNGIyZi04ZjZmLTBiZTczZWRiYjkwNg.png\"><img decoding=\"async\" class=\"alignleft\" src=\"https:\/\/media.licdn.com\/mpr\/mpr\/AAEAAQAAAAAAAAyvAAAAJDkzMTk2MjkzLWExODgtNGIyZi04ZjZmLTBiZTczZWRiYjkwNg.png\" \/><\/div>\n<ul>\n<li>Application&#8217;s Resource Manager (Policy Enforcement Point PEP): component that intercepts user&#8217;s access and enforces application security policy by inquiring authorization Server\/component.<\/li>\n<li>Authorization Server: Provides authorization decision based on the application&#8217;s access control model and policies.<\/li>\n<li>Application&#8217;s transaction audit data: Component that audits action (business function) performed by user on an application resource, audit transaction can be mapped to an entitlement assignment.<\/li>\n<li>Application Logs<\/li>\n<\/ul>\n<p><strong>Applying Dormant Access Policy<\/strong><\/p>\n<blockquote><p>Confluxsys Identity Analytics solution integrates with SIM to collect time-of-use data, provides a framework to apply organization&#8217;s dormant access policy for applications onboarded into Identity Governance platform.<\/p><\/blockquote>\n<p>With no additional development, Identity Management Administrator can configure policy on existing or newly on-boarded application in Identity Governance Platform. Policy can be configured per application or for applications matching certain criteria.<\/p>\n<p>Solution supports various actions based on dormancy rules defined in policy like:<\/p>\n<ul>\n<li>Initiate &#8220;self certification&#8221; for beneficiary to justify the continuity of dormant access.<\/li>\n<li>Notification<\/li>\n<li>Automated revocation or disable the account<\/li>\n<\/ul>\n<p>Having the <em>right<\/em> process and infrastructure to manage dormant access lifecycle will reduce Identity Governance operational costs and improve the security posture of the Organization. Organization may implement it in a phased manner prioritized by application&#8217;s risk level with different level of integration: account and\/or entitlement assignment.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dormant access is a user access (account\/entitlement assignment) that has not been used recently for certain period of time. Time period after which an access is termed as &#8220;dormant&#8221; may be different for different application\/entitlement. Organizations, typically, attempt to govern dormant access by conducting access&#8230;<\/p>\n","protected":false},"author":1,"featured_media":14011,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-15724","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts\/15724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/comments?post=15724"}],"version-history":[{"count":1,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts\/15724\/revisions"}],"predecessor-version":[{"id":15725,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/posts\/15724\/revisions\/15725"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/media\/14011"}],"wp:attachment":[{"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/media?parent=15724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/categories?post=15724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lastmile.id\/confluxsys\/wp-json\/wp\/v2\/tags?post=15724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}