As organizations adopt a cloud-first strategy, an agile delivery model or ineffective Identity Governance can lead to excessive access. Unfettered access to the ‘keys to the kingdom’ can be disastrous, and applications are rarely designed with least-privilege principles. Advanced analytics are required to address complex security risks, like a large attack surface area via the Internet-of-Everything and the blurring of company firewalls from digital processes crossing internal and external domains.
To tackle such grueling challenges, this article proposes an Identity and Access Intelligence (IAI)-based solution constructed from the foundation of a multi-dimensional risk model.
Identity and Access Intelligence (IAI)
Identity Governance has historically focused on answering the question: “Who has access to what?” But in an era when identity is the new attack vector, it is not enough to simply know who has access to what. Organizations must also ask “What are they doing with it?”
IAI is the discipline that applies logic and science to identity and access data for providing insights to make better IAM decisions. It combines data and advanced analytics to increase identity-related risk awareness and to enhance IAM processes, such as access certification, access request and role management. Ideally, enterprises need IAI empowered features that deliver intelligent, interactive and actionable analytics so that IAM administrators can not only optimize IAM processes, but quickly identify risks, determine the origin of the risk, remove inappropriate privileges, and remediate access control policies as appropriate.
Incorporating Risk-Based Intelligence in IAM
In traditional IGA systems, there is no concept of “risk awareness” to improve the effectiveness of identity-related business processes. IAM systems should be designed on the strong principles of IAI, and enable adoption of a multi-dimensional risk model and data-driven analytics. This would help yielding following benefits:
- Improved risk awareness: display risk scores and highlight high-risk entitlements. Allow reviewers to drill down to understand the cause of the elevated risk score.
- Identifying user accounts that are inactive or entitlements that are unused: highlight dormant orphans so reviewers can determine if the access is truly necessary.
- Reduced volume of certifications: require reviewers to certify only high-risk entitlements. Discover rogue and outlier access: allow reviewers to compare users to other members of the user’s peer group. Highlight outlier, excessive or rogue access so that the reviewer can clearly identify users who are acting outside the norm for their peer group.
- Increased revocation rates: implement a more risk-aware access certification process, reviewers are much more likely to remove or alter excessive or unnecessary access. An increased number of access revocation rates results in reduced risk and improved security.
- Certification streamlining: Line of business organizations are simply overwhelmed by the number of certifications. To address this concern, there is a movement toward micro-certifications or continuous access certifications.
Multi-Dimensional Risk Modeling
As risk awareness has become a focus for IAM teams, risk scoring and evaluation has taken center stage. IAI tools should expand risk scoring functionality to include not only static and inherent risks assigned to an account or resource, but also dynamic risk scores that are derived from usage, behavioral analytics, peer group analysis and risk information gathered from an external system, such as data sensitivity reported by a DLP tool or information reported from a vulnerability management system.
Sophisticated risk modeling functionality should allow organizations to define risk scores, risk calculations, and risk thresholds. The risk model should be flexible and allow for both simple risk assignments (e.g. static entitlements with high, medium, and low thresholds) and sophisticated modeling (e.g. dynamic risk calculation with fine-grained thresholds).
A risk modeling framework should support:
- Different factors are identified which would contribute to the overall risk score of a user (e.g. factors → privileged access through roles), certification history, and/or access approved despite SoD violations.
- An enterprise consuming this model should be allowed to customize it – add/remove a factor and alter the weight/age, to influence the final risk score calculation.
Risk scoring should support:
- Application entitlements that a user has access to (i.e. risk scoring is increased if access was revoked previously and provided again). The entitlement or application owners would assign the scores to respective entitlements during enrichment exercise, which could also be carried out during entitlement ownership claim. They would use a slider on UI to define a point of a risk score for the entitlement.
Factors Influencing Risk Score
Based on my experience working with over 100 enterprises securing cloud applications and on-premise IT infrastructure, the following is a comprehensive list of accumulating factors that can be considered relevant for influencing the risk score of users:
- Application accounts/entitlements/roles that users are assigned
- Outlier access analysis (i.e. access outside of the peer group) or excessive access
- Privileged account or role associated with the user and usage
- Account/entitlement Usage information (dormant or inactive access)
- Access certification history and incomplete revocations
- Segregation of Duty (SOD) violations
- Compliance related (PII/PCI/HIPAA) violations
- Integration with User and Entity Behavior Analytics (UEBA) engine
- Integration with SSO or Multi-Factor Authentication (MFA) solution
- Integration with Mobile Device Management (MDM) and Internet of Things (IoT) systems
- Integration with Identity Assurance or other third-party systems – Consumer Identity and Access Management (CIAM) systems encourage the use of external users registering themselves to an extranet portal, but their Identities need to be passed on to Identity Assurance providers for advanced verification purposes. Also in US Federal Govt agencies and universities, all users go through repeated checks (automated through web service-based integrations) with disparate systems to check for completion of essential training and certifications. Information retrieved from all such systems can be leveraged effectively to influence risk score for relevant users.
How to get started?
Saviynt offers a comprehensive IAI capabilities built into our IGA 2.0 platform. However, if you have an existing IDM deployment, it is possible to add the layer of intelligence without ripping and replacing the plumbing. If you need more information, feel free to reach out to me at firstname.lastname@example.org.