Adding Value to Identity & Access Governance

Technologies to automate Identity Management (IDM), Access Request Management (ARM), Identity & Access Governance (AG), or access review and certification as it’s known in plain English, have been around for years, yet still have not been able to address user access risk in real-time.  Why you ask?  Let’s start with defining the data used to make decisions in these systems.

Functional Anatomy of IAM – Gartner Research

IAM can be viewed as a set of complex functions that handle or consume four kinds of data: identity, entitlement, contextual and activity.

• Identity data describes users’ digital identities, their electronic representations (accounts or profiles) within one or many systems
• Entitlement data describes entitlements (permissions and so on), expressions of the ways that users are allowed to interact with resources
• Contextual data provides information about the environment: endpoint devices, locations, date and time, history, threat levels, and so on
• Activity data is generated by successful and failed log-in and access attempts as well as by changes to identity and entitlement data

The reason why IDM, ARM & AG are not able to deal with access risk in real-time is not due to a lack of data.  It’s due rather to a lack of correlation and context – the ability to look across all data sources, in aggregate, with a set of risk rules that can easily identify policy violations and misuse of access privileges in real-time.

Identity management can’t address this issue because it’s reliant on the creation of user defined roles.  It is impossible to reconcile between enterprise roles, application roles, process roles, sub roles, temporary roles, and the use of Microsoft Active Director groups in order to determine if access is too risky. The degree of complexity to standardize access entitlements across these different role types is also way too complex.  Roles were never designed to achieve this objective.  Application roles are not enterprise roles, enterprise roles don’t understand process roles because they can’t understand application processing logic.  Roles were just a way to simplify and streamline the process for granting access requests in a user provisioning system.

According to Osterman Research, approximately 5% of users in Active Directory are no longer employed by the organization, and IT departments usually take nine days to de-provision users once they have left an organization. This creates the danger that “orphaned” user accounts can be accessing sensitive data inappropriately.  Waiting to run access governance processes on a semi-periodic basis for review and certification cycle is not timely enough, and is typically done only to identify segregation duties violations and not to detect anomalous/erroneous access or misuse of access privileges.  Furthermore, achieving a process for closed-loop remediation during access certification isn’t automated across all applications.

Privilege User Access Risk Detection Methods

Ponemon Institute Research

Continuous access activity monitoring and advanced security analytics that can standardize and normalize all sources of access data is the most effective real-time access risk control for an enterprise today.  But this is not done at the expense of all the identity management, access provisioning and certification technology investments that many organizations have made with a rip and replace approach.  A continuous access monitoring and user behavior analytics solution will compliment and integrate with these technologies by being the monitoring and analytics hub that aggregates and normalizes all access data sources (roles, policies, transactions and activities), put that data in context (analysis of the data against rules/policies, conditions, variables and specific type of events/transactions) to make access risk actionable and automated across all these systems.

Pathlock Technologies is a pioneer and the market leader in being able to not only correlate, normalize and analyze all access data sources but also provide the integration to automate processes related to role assignment/entitlement change, kick off workflows in provisioning systems or risk remediation actions in access governance systems or make access changes directly within applications that are not connected to these systems. Click here to learn more.