By Are your access controls giving you a false sense of security? Access governance is designed to mitigate risk, but all too often the static controls that many organizations use, come up short.
This blog dives into the emerging field of Identity Access Intelligence (IAI) that helps organizations move to an entirely new level of insight and control:
Defining Access Intelligence
If you think about access governance, in its purest form, it is about risk mitigation. This risk may take the form of strategic risks like loss of intellectual property, product blueprints to competitors, financial risks related to fraudulent transactions from within or outside the firewall, or risks from the loss of privacy-related data.
While organizations tend to respond to these risks with increasingly better access controls, often these controls tend to be static in nature. An example of this is access certification toolsets that show you the list of users and their access, and asks you to attest whether that access is correct. But without proper due diligence, this type of rubber-stamping can lead to a false sense of security.
The emerging field of Access Intelligence (IAI) helps organizations mitigate these security threats and risks. IAI is an interesting marriage of Identity and Access Governance (IAG), Security Information and Event Management (SIEM), and Data Loss Prevention (DLP) fields, offering improved business intelligence and advanced analytics capabilities.
In today’s world of increasingly ubiquitous and pervasive networked computing devices, accelerated by the rapid adoption of bring-your-own-device (BYOD) policies, the volume of security risk exposures has grown tremendously. The definition of an end-point, which was initially limited to desktops, has expanded to include virtual workstations, mobile devices and a growing number of B2B and B2C applications. As a result, many organizations are looking at broadening the scope of their IAM toolsets to harden defenses in order to contain these growing threats and effectively act on exposures.
IAI enables companies to identify where the hardening can be most effective, to recognize threats (both potential and actual incidents), and to respond effectively through real-time alerts and enforcement.
This requires the ability to distinguish between malicious and non-malicious threats, and acceptable versus unacceptable risks.
Detecting Anomalies
These analytics can help organizations understand where entitlements need to be refined for further strengthening of defenses by exposing where static entitlements only provide partially effective security controls. For example, a bank manager may be given the permission to temporarily enter transactions for an off-duty employee, but can you tell if he is violating that privilege? The task for IAI is to define normal behavior in the context of an identity and entitlements in order to determine when something is out of the norm.
Often the challenge with IAI is that the identity context is not rich enough to make this determination. Most applications are unable to enforce access constraints. For example, it may be appropriate for a user to have sensitive access, but under what conditions? Is it appropriate to enable the same level of access from a public Wi-Fi hotspot?
Gaining this type of intelligence requires collecting activity data and correlating it to the identity and roles of individuals. More data makes for a larger sample and helps reduce false positives. But more data also makes it significantly more challenging for organizations to harvest, store and manage.
Improving Identity Governance Controls
Access governance and intelligence vendors are using this data to add multiple dimensions and color to already-existing IAM controls such Role Mining and Certifications by providing context around the identity. They show what users are doing with their access and identify abnormal behavior.
Maintaining this data over time helps to identify trends and changes in accepted behavior, and further enables risk profiling, which results in faster detection of anomalies.
These new tools help prioritize anomalies in access that had previously been undiscoverable – for example: the user is accessing the bank from an unusual place or time; the user is accessing features not typically used or in a suspicious sequence; the user is making far too many transactions to be considered normal behavior; or the user is changing the list of approvers or transaction limits.
Equally important is access review or access certifications of “ghost” accounts, which are typically reserved for system usage. These are not the same as “orphan” accounts because organizations are aware of these accounts and keep them active for system maintenance or emergency use. But when are these accounts being used? There is a hidden risk from exposure within the organization and from outside malicious users who discover such unmanaged privileged accounts.
Monitoring User Activity
Most traditional enterprise applications pose a significant challenge because the user identity often stops at the point of entry. After the initial authentication or authorization transaction, data may be retrieved or transmitted from one component of the application to another by implicit trust of the components working with each other – without linking that trust to the identity of the person conducting the transaction. Malicious users take advantage of this trust and exploit a vulnerable component of the application stack using application or system IDs. Here, IAI can be useful to identify transactions that might not be considered “normal behavior.”
FFIEC guidelines require organizations that allow access to high-risk online transactions to provide multiple layers of security that detect and respond to anomalies. A study by VERIS has shown that 48% of data breaches in such organizations result from what had been considered appropriate access.
In response to these needs, vendors have started to provide advanced analytics in the form of peer group analytics and outlier analysis techniques, which allow organizations to monitor privileged access in the context of its usage.
Securing Data with Intelligence
While IAG systems have predominately been application centric – a user requests access to applications, reviews are performed for access to applications, and reporting is done at the level of access to applications – what the user is really trying to reach is data. This is where Data Loss Prevention (DLP) comes into play. DLP systems cover a wide range of controls on the transmission of this data. Whether the data is provided by the application or held behind the application in a repository, organizations must provide governance that dictates the rules of engagement for the data to prevent the loss of IP or privacy violations. Vendors here have found ways to integrate DLP events with IAI tools to expand the domain of traditional access governance to the data realm. This requires tools to collect, correlate and analyze data to produce intelligence, which broaden the scope of IAG from applications to data.
The marriage of access governance and data governance is a logical union. Access governance adds context to DLP events by correlating details such as user roles and identity to the event, which helps distinguish abnormal or malicious activities from accidental attempts to transmit sensitive data.
Vendors are adding activity context to what has traditionally been a static approach to looking at access – either top-down or bottom-up role mining – in order to refine access entitlements and roles. Using peer group and outlier analysis techniques, they allow organizations to monitor abnormal access privileges, access to sensitive data, and transaction limits.
Better Visualization of “Access”
Identity and Access Intelligence is not only reshaping the nature of security defenses against a wide range of threats, but it is also equipping businesses with the insight they need to understand the forces transforming IT, and embrace these changes in a secure and intelligent manner.
“Intelligence” therefore, in the context of IAG, has come to mean the expansion of awareness into where and how the identity is used –validating the identity, understanding its use, and assessing how that access is managed within policy.
It means collecting logs and information from applications and correlating security events to IAM to quickly uncover suspicious behavior or insider threats. And it means enhancing audit and reporting tools with business-level transparency to help organizations meet ongoing compliance challenges.
This is the nature of IAI that correlates a richer concept of identity with insight into activity to enhance role-based analytics and provide context-based access control for applications and data.
The challenge lies in the vast amount of data that needs to be collected and analyzed. To make this more manageable, the first task for organizations will be to define what is for them useful intelligence that provides genuine business value and risk mitigation.
Vendors are rapidly entering this space, and we can expect them to offer intelligent analytics solutions to enable next generation access governance by adding cutting-edge capabilities to existing DLP and IAM tools.
Identity Matters 