All Research
Executive View

Why don't you like this?

I like this
I don't like this

Eviden DirX Audit

Nitish Deshpande
This KuppingerCole Executive View report looks at Eviden’s DirX Audit solution from its DirX portfolio. DirX Audit is an analytics and audit intelligence solution that stores historical identity data and recorded events from the IAM processes. This collection of data allows it to also provide insights into access risks and reporting it through user friendly interface.

1 Introduction

Access Governance & Intelligence is a risk management discipline for IAM. It supports business involvement in the overall management of access rights across an organization’s IT environment. Access governance provides necessary tools for businesses to manage workflows and access entitlements, run reports, access certification campaigns, and SOD checks and thereby fulfil the tasks related to security and compliance. Access intelligence refers to the layer above access governance that offers business-related insights to support effective decision-making and potentially enhance access governance. Data analytics and machine learning techniques enable pattern recognition to deliver valuable intelligence for process optimization, role design, automated reviews, and anomaly detection.

Access governance concerns the access mechanisms and their relationships across IT systems and thus is instrumental in monitoring and mitigating access-related risks. These risks most commonly include information theft and identity fraud through unauthorized changes and/or subversion of IT systems to facilitate illegal actions. During the last few years, many prominent security incidents originated from poorly managed identities and proved the need to address these issues across all industry verticals. Data thefts, loss of PII (Personal Identifiable Information), breach of customer’s privacy, and industrial espionage are common security risks in virtually every industry today.

Current compliance challenges are related to many different regulations in practice with new measures added and updated regularly. With different regulations, there is a requirement to provide reporting in different methods. The policies dictate various factors such as what data will be audited, the type of enterprise being audited and stakeholders involved in creating applications, thus making it a challenge to have a linear and end to end audit policies.

Access governance can help reduce IAM risks by providing answers to three key questions which are crucial for regulatory compliance:

  • Who has access to what?
  • Who has accessed what and why?
  • Who has granted that access?

That is done via a set of functionalities, which include the following areas:

  • Access warehouses: Collecting current and previous access information from different systems. The collection can be done via direct or extensible connectors using established standards such as HTTP or webservices. Provisioning connectors or flat file imports are commonly used for the purpose.
  • Access certification: Requiring the responsible persons (such as resource owners or application managers) to do scheduled or ad-hoc reviews of the current status of access controls and request changes if required.
  • Access analytics and intelligence: Analytical capabilities to facilitate business-friendly understanding of the current status of access controls, sometimes complemented by adding real-time monitoring information about access to IT assets.
  • Access risk management: Using a risk-based approach to evaluate and assign risk scores for access requests and invoking relevant access workflows and notifications based on configured policies.
  • Access request management: Providing interfaces to request access to specific information or systems including workflow policy configurations to define and manage request flows.
  • Separation of Duty (SoD) controls and enforcement: Definition and enforcement of business rules to identify and prevent SoD risks.
  • Enterprise role management: Role management delivers capabilities for managing access entitlements by grouping them based on relevant access patterns to improve administrative efficiency. The roles can be defined at several levels, the most common being people, resource and application levels. The access patterns for logical grouping of entitlements can be derived with the support of role mining capabilities of IGA tools delivered as part of role management. Role governance, a critical capability within broader Access Governance, encompasses basic role management as part of the overall role lifecycle management.

Access governance is a key IAM technology for any organization due to the massive impact of potential security risks arising from the lack of proper access governance controls such as role management, auditing and analysis, access request management, and access recertification. There are several access-related security risks in today’s organizations that have a direct impact on business, including but not limited to, intellectual property theft, unauthorized access, occupational fraud in Enterprise Resource Planning (ERP) systems including SoD conflicts and other policy violations, reputational damage due to the loss of customer information and privacy-related data, and many more. Thus, an adequate access governance framework is essential for organizations dealing with continually changing paradigms of security and risk management.

Access governance products focus on implementing and governing the controls for access management. This includes controls for attestation and recertification processes as well as auditing, reporting, and monitoring capabilities, which, in turn, invoke active management of preventive controls to identify and mitigate the access risks. Additional aspects are data analytics for pattern recognition to drive process automation, effective role management, anomaly detection, and access simulation as part of access intelligence capabilities.

In this Executive View report, we look at Eviden DirX Audit, which is a solution targeting specifically the field of access analytics and intelligence, with other capabilities such as enterprise role management and SoD controls, which are provided by Eviden DirX Identity.

Full article is available for registered users with free trial access or a paid subscription.
Log in
Become a Member and read on!
Create an account and buy a Membership package or use our 7-days free trial period to access this and 900+ other in-depth and up-to-date insights.
Register and request your 7-day free trial
Register
Already convinced? Check out our packages
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use