What is access governance?

63% of organizations don’t have visibility into the level of access and permissions their users have to critical systems. Too many organizations aren’t implementing and enforcing access policies to their most critical assets, like systems, data, networks, infrastructure, and operational technology. Too many companies experience data breaches because they mismanage user access. And too many businesses don’t have insight into who can access their company’s valuable assets and how that access is being used.  There are a variety of policies, strategies, and software programs an organization can implement to better secure critical access and assets. A major one? Access governance.

Access governance best practices

Implementing access governance is more complicated than just stating that critical assets and access points are safe. By utilizing a few best practices (and softwares) an organization can start to build out strong access governance and strong critical access management.

1. Apply the principle of least privilege when defining access policies

In order for access governance implementation to work, there needs to be clear and defined access policies. Access policies are the rules that say who should have access to what and what privileges users should have when accessing an asset. As an access governance best practice, policies should align with least privilege access, meaning users only have the minimum access needed to do their job. Access governance ensures that only those who are permitted access will be granted access to a critical asset. These access policies are a framework, a standard, and a best-case scenario for what assets a user should have access to as part of their job. When put under the umbrella of critical access, these policies must be heavily enforced -- no loopholes or secret passageways into those access points. Whether that access is limited by job role, time, or a variety of other factors, following the least privilege principle will create strong access governance and robust access policies.

2. Create close linkage between HR data and access rights

HR systems are inherently equipped to help an organization define access rights and implement access governance, because they already track job responsibility, function, and changes to employment status. HR systems can set up access by a given job role, and often, have the ability to provision and de-provision access when a given role changes. In addition, these systems have all the data needed for fine-grained access controls. This allows an organization to define access rights by key points in a job cycle -- hiring, termination, promotion, etc. -- therefore building an automatic fail-safe within an access policy.  However, HR systems cannot help when it comes to third-parties. Investing in a bespoke system for managing the identities and access of third parties is a best practice for implementing full access governance, as third parties are often high risk. 

3. Regular user access reviews

Think of user access reviews as double-checking your work. You know who has access to what based on the access controls previously set, but are those access controls still in place? Have users been properly de-provisioned or is access creep becoming an inside threat? Access reviews are the process of reviewing all identities' access rights and ensuring the concept of least privilege is being adhered to. Another way to think of an access review is as a process to identify gaps between an access policy and access rights, and ensure those gaps are legitimate and still required. Conducting regular access reviews -- especially for those critical assets and access points -- is an access governance best practice that helps ensure that any access policies and controls are working the way an organization intended. Access reviews are especially important when dealing with third parties, whose data and user access will not be a part of an organization’s internal HR systems. Access governance implementation is just one part of critical access management, but it’s a crucial starting point. Learn more about access governance with our Critical Access Management ebook.