The IAM Gap - Part 2
In my last blog, I discussed how Identity & Access Management technologies help organizations ensure that the right people have the right access to the right resources, and are doing the right things with that access. To date, vendors have helped customers “get it right at the start” and “verify it later and fix it.”
Access Request and Provisioning enable customers to connect the assignment of appropriate access rights directly to the business actions which drive the need to create, modify or delete those access rights. Access Certification enables customers to identify later if access rights are misaligned with policy or regulations – which then can be fixed.
But there is a gap here. A huge gap. Certification cycles are typically run in 3, 6 or 12 month intervals. Why? Because that’s when auditors check on it. And because business people will not tolerate a daily, weekly or maybe even a monthly access certification review. And during that time between the provisioning action and the periodic access review, there are powerful business, technical, and human forces pushing against that alignment.
People work around the system. People make mistakes. Managers, unclear what they are attesting to, rubber-stamp certification. Changes to the technology infrastructure result in a ripple effect of unintended and unknown access consequences (like nesting Active Directory groups). Credentials are compromised. The business changes in ways not expected by the provisioning system. And yes, bad people, inside and outside of your organization, try to penetrate and exploit the infrastructure.
This puts the organization at great – and unknown – risk every day. This gap needs to be filled because, when it comes to access risk, ignorance is not bliss. Filling this gap will ensure that businesses don’t have to wait for the review cycle to fix problems – long after the negative consequences are felt.
Initial attempts to address the IAM Gap have been crude and ineffective. Regardless of how pretty the knobs, dials and speedometers look on the dashboard, showing which user has access to what application or entitlement does not illustrate risk. Risk to an asset, or of a user, is dependent on the interaction of all elements of access:
- Who the people are and what they are responsible for (Identity Context)
- What the business policies and regulations are (Policy)
- What access rights those people have (Rights)
- What type of resource they are trying to access (Resource Context)
- And what they are actually doing with their access (Activity)
Consider this – Just one or two or three elements give an incomplete and, at times, inaccurate view of risk. If a marketing executive has access to a file share at corporate headquarters, is that high risk? Okay, let’s start layering in more information:
- What if we know that half of the finance department also has access to that file share? (Well, they could be on the Investor Relations team and need that access)
- What if we know more context about the resource…that there are credit card numbers on that file share? (OK, now we might see a bit more risk…but they could be on the eCommerce Oversight committee)
- What if we know their activity – that a user accessed and copied a much larger batch of information from this file share than they ever have before…in the middle of the night? (OK, now I’m getting very concerned)
Hand coding some of this information – such as the “risk level” of an application – in an to attempt to incorporate other elements of access, creates a false sense of security at best -- and a dangerous delusion at worst. An application that has been hand-coded with a risk level would retain that risk level – even if an administrator nested an Active Directory Group containing thousands of members with the primary Group that was used to authorize access to that application. But the risk would have changed, wouldn’t it?
Customers need a dynamic and real-time system to bring together all elements of access – Identity Context, Policy, Rights, Resource Context and Activity – to enable customers to:
- Identify and evaluate risk, as all of those elements change
- Dig deep into the analytics to understand what is actually driving the risk so they can drive immediate remediation
- Understand the trending of risk over time
- Predict future areas of risk to fix the fundamental business process issue and not just the symptom
And they need to see this every day. And they can...everyday. This is the promise of Identity & Access Intelligence.