Time and time again, we see data breaches frequenting the headlines, and it isn’t slowing down anytime soon. In fact, 2019 alone saw two of the top five largest data breaches recorded in all time. One way organizations can make informed decisions to stay in good health and mitigate risk is by gaining visibility into which users have access to which systems, particularly those with highly sensitive data. Identity Governance and Administration (IGA), also known simply as governance, is a robust set of tools and processes designed to improve transparency and manageability by giving an organization greater visibility into accounts and access, while also providing the ability to prevent and detect inappropriate access.
Recently, we discussed the progression of governance capabilities through the Governance Maturity Model and defined the characteristics of Level 1 and 2, as well as how governance fits into a modern Identity and Access Management (IAM) solution.
The first step to implementing an IGA solution starts in Level 1 with creating an entitlement repository by listing all the organization’s entitlements and who owns them, as well as who has been granted those entitlements. As a refresher, the concept of entitlements refers to an abstract representation of the level of access you have in a system, which could be in regards to an account, a permission, or a group membership.
Once users are associated with entitlements, Level 2 adds a verification process to compare entitlements to what's actually in the downstream application or resource to validate the entitlement repository is accurate against the resources.
Let’s continue with this final installment of our maturity model series, where we will focus on the capabilities in Levels 3 and 4 of the Governance Maturity Model and how governance benefits organizations as a whole.
Level 3: Real-Time Verification of Entitlement Assignments
Level 3 of the Governance Maturity Model expands on components found in Level 2, such as validating entitlements through reconciliation directly against the systems. However, Level 3 kicks these capabilities up a notch by identifying actions as they occur in real time, which is highly recommended for high-risk resources with access to sensitive data.
As opposed to an offline process that reconciles nightly or weekly, the capability of real-time verification of entitlement assignments allows for additional validation directly against systems, so owners can take immediate action in the case of credential discrepancies. The IGA system periodically identifies if there’s a change in the system, such as a change in the user’s role, then reauthorizes in real time to ensure that the entitlement still applies. If a user’s attributes change and they no longer have a particular entitlement but access still exists, the reconciliation process can find that anomaly.
For example, let’s say the user is a teacher who has access to curriculum applications and then moves into the role of a technical specialist under the IT department. The IGA system would recognize the trigger as the user’s title changing in the HR system. While the user still has access to the same email and network login, they would need access granted for the ticketing and phone system and access to the set of curriculum applications revoked.
Unlike offline reconciliation, real-time reconciliation is capable of validating these entitlements early to ensure what's happening in the resource is accurately reflected in the entitlements. Furthermore, this process allows the IGA tool to take action when the comparison does not match, such as reverting any changes that are not aligned with entitlement repository.
Although Level 3 adds the capability of real-time reconciliation, that doesn’t mean organizations should step away from scheduled reconciliations. Let’s say an organization chooses to implement real-time reconciliation for the Active Directory (AD) system to identify when memberships to the domain administrator group are changed. The organization should still ensure a full reconciliation is performed on a scheduled basis, such as nightly, weekly, or monthly, in addition to real time reconciliations, to bring in all the group information from AD to reconcile against entitlements.
This approach is best practice because even though you may have an advanced IGA tool, there could always be a mistake in configuration, which could lead to something eventually getting missed. By performing a full reconciliation, you can find those mistakes much easier, and it also provides assurance that the request mechanisms are not bypassed.
Another characteristic of Level 3 is organizations have mapped entitlements to specific privileges. By mapping entitlements, the IGA tool is provided context to help make a decision on whether access should be granted.
For example, if a user requests access to Amazon Web Services (AWS), the IGA system immediately performs investigative forensics to determine if access should be granted after considering factors and context, such as the user’s role, title, department, access to other systems, and more.
While sometimes on the surface level it may seem like the user should have access granted, the IGA tool may find a flag that stops it from granting this level of access. This process saves time by limiting human intervention to when there’s a flag in the system, and the IGA tool will ask whether the request should be overridden.
Level Four: Decision Scoring Through Artificial Intelligence
Once reconciliation is streamlined and entitlements are mapped, the primary pain for organizations at this stage is the overwhelming amount of approval and certification requests. As long as humans are performing these processes, it’s unlikely that each request is thoroughly reviewed.
Typically these processes are not one’s full time job, and as we’re all busy, it’s easy to fall into the habit of selecting all the requests, clicking approve, and marking the task as complete. However, we know this is not the best way to protect our data. Therefore, in order to ease the burden, organizations looking to advance to Level 4 employ Artificial Intelligence (AI) to detect anomalies that individuals may not be able to see to make predictions for approvals and certifications.
Of course, there’s no question that computers are capable of performing certain functions much quicker than a human. Additionally, AI can even make more informed decisions on approvals and recertifications than humans because it has the ability to quickly access and take advantage of more data.
In order to detect anomalies and provide assistance on whether or not a user should have certain access, machine learning is provided copious amounts of authorization or access pattern events. The AI model looks for certain patterns, and based on that, responds with a probability on whether the user should have this access at this time. This works by utilizing “scoring,” or an algorithm that can assist certification based on attributes defined by the business owner.
For example, if a user makes a request to be granted domain administrator permissions, the IGA system first searches for the user’s title, department, location, and other attributes. Then, the IGA system takes those pieces and uses AI and a model to determine the probability of whether or not the user should be granted administrator access. If there’s only a 10% probability the request should be approved, it can push the request to the appropriate person to make the final decision with a recommended action to deny the request. AI can also learn from historical actions to assist business managers with approval and certification decisions.
Eventually with proper training, the approval or access certification process can be replaced with AI entirely and the organization can start to set thresholds for AI to take automatic action.
For example, if AI determines the probability to be 90 percent or higher that the user should be granted access, you can set AI to automatically approve the request without human intervention. Similarly, if AI finds there’s 10 percent probability or less the user should not have access, AI can automatically reject the request.
The goal is for the AI model to become so well-trained that it can handle the majority of your access decisions and only anomalies are left for human intervention when a threshold is not met. However, it’s important to note that AI is not a “set it and forget it” tool.
When it comes to managing access, it’s crucial to maintain a trust but verify approach. Organizations must implement continuous model training to avoid outdated results. The staff working with AI and machine learning models needs to ensure they are aligned with business owners and continually work on vetting the different outcomes and the training data to verify the outcomes are going in the right direction.
Achieving Level 4 of the Governance Maturity Model allows organizations to truly secure their data and step away from the "rubber stamping" business. As long as you’re managing the training data and reviewing the process, AI is an extremely powerful tool. While it may take several months or a year to implement a solid model, this use case is achievable today as long as the organization maintains proper training data.
Demystify Governance and Gain Actionable Insights in Our On-Demand Webinar
Governance is an extremely important piece of IAM because the more eyes and the better visibility you have into accounts and access across your enterprise, the better your chances are at discovering anomalies and mitigating risk. While we often hear from organizations that governance is too complex to tackle, we encourage you to change this mindset and take it step by step, level by level, to build a plan to increase your governance capabilities.
But how do you determine what those next steps are?
Discover your organization's current level on the Governance Maturity Model by watching our on-demand webinar, Advancing Your Identity Management Strategy with the IAM Maturity Model, Part 7 - Governance.
In this webinar, our founder and IAM expert Troy Moreland discusses how to progress from a basic governance strategy, all the way to an intelligent strategy that provides AI decision scoring with actionable insights on how to take your governance strategy to the next level.
Access the on-demand webinar here.