Co-authored by Priti Patil.
The Identity Governance space has evolved to be much more risk aware. This is due to many factors including a major influx of identities within organizations, identities going beyond just employees to include partners, vendors, customers, IoT devices, and RPA Bots. With the increase of users, entitlements, and applications to manage across the Identity & Access Management (IAM) environment, it’s becoming increasingly critical to integrate identity analytics into your security posture to provide a holistic view of risk. This holistic view should not only cover IAM solutions but span the entire security environment including SIEM, directories, DPLs, unstructured data, etc. Gathering data from various sources will maximize the likelihood of uncovering risk which in turn provides the opportunity for mitigation. Identity analytics is not the ultimate answer but is an integral piece of the puzzle and should be utilized to augment existing security analytics solutions by adding identity related context.
Figure 1: Identity Analytics solutions take in data from a variety of sources to provide a 360-degree view of access risks
The rapid growth of adoption in this space can be attributed to three key driving factors: excessive access risk, compliance requirements, and the need for operational efficiency.
The concept of least privilege is simple; provide employees only the bare minimum privileges needed to perform their job. Implementing this concept can be extremely difficult. We often see the practice of “rubber stamping”. This is where managers or admins grant all access requests that come their way without really knowing if the request is valid. We often see this happen to avoid getting in the way of employees doing their job or slowing them down. To prevent overentitled users or excessive access, identity analytics can help identify risk throughout the identity lifecycle utilizing tools such as peer group analysis to identify anomalies within peer groups. Whether a peer group is defined by role, department, or location, it can provide additional context in whether or not to grant access. Some examples of risk throughout the identity lifecycle can be seen in the following chart which follows a user as they join, move throughout, and leave an organization. One example of risk that can be highlighted by identity analytics is outlier access, such as when a user changes departments. This can identify when a user has changed roles/peer groups but still has access to resources from their prior role.
Figure 2: Risk throughout the identity lifecycle
The need to comply with regulatory mandates requires organizations to confidently detect and monitor access, otherwise they are in jeopardy of having a significant number of violations, failing audits, and facing non-compliance fines. Customizing an identity analytics dashboard with OOTB and custom policies can streamline the identification of compliance risk by highlighting the risks that matter most to your organization. By using configuration tools to edit severity levels of policies, organizations can immediately identify and then take action on those high-level risks that are out of compliance.
With the number of users, entitlements, and applications growing rapidly, far beyond human capacity, the need for operational efficiency is upon us. To prevent practices like rubber stamping, it’s key to provide decision support tools such as risk and confidence scores. This additional layer of information regarding the level of risk, such as comparing a request to similar peers or analyzing what action you’ve taken in similar situations in the past, will speed up the remediation process which will both increase efficiency while empowering the decision maker to make the right decision.
Identity Analytics addresses each of these needs by providing the ability to aggregate data across a multitude of sources to generate a holistic view of the environment. This then allows for effective use of the analytics engine to perform risk analysis, peer analysis, outlier analysis, etc. Based on the configuration of policies, this data can then be viewed in the way that is most applicable for your organization, bubbling the relevant risk up to the top of your feed.
Each identity analytics use case is further dived below which are based on pain points that were aggregated from talking to a variety of identity and access management customers and business partners.
Figure 3: Cloud Identity Analyze takes in identity context, highlights policy violations, and triggers out of the box and custom actions
Something that we often hear from the field is the inability to monitor risk across IAM solutions, creating uncertainty around whether or not they are carrying compliance related risk. This again ties back into having a 360-degree view, or the ability to perform a ‘health check’ on the environment, this is crucial to knowing if your organization is open to access related risk. This would involve data mining and aggregating information from a variety of sources, (multiple identity solutions, SIEM, DLP, directories, etc.) across your environment in order to identify risk which would be based on your organization's configuration preferences. These policies can vary from identifying dormant accounts, setting risk at various severity levels such as an account that’s dormant for 15 days is low and an account that’s dormant for a year is high, to identifying users with excessive access utilizing peer group analysis further talked about below.
Another pain point we hear often is around needing quick insights to support making informed access and certification decisions, to prevent simply approving everything. This requires providing intelligence that can assist in the decision-making process. This can be in the form of providing risk scores alongside evaluations that can invoke confidence in a decision to suspend, recertify, or revoke. This is especially useful when scaled up as many organizations grow and are unable to keep up with the number of users and applications. This additional support will prevent the risk that comes with group certifications and can alert you to anomalous activity.
Peer Group Analysis
This third pain point revolves around peer group analysis, meaning identifying a user’s role and associated entitlements and comparing that to similar peers allowing for insights into how an individual user could be deviating from peers within the same group. This can prevent over entitlement for individuals that switch departments. One example of peer group analysis is someone on payroll having access to sensitive information switching to a different role such as marketing. This new role no longer requires access to the tools utilized in payroll but can be continuously approved if the approver often rubber stamps and is not notified of the risk. A simple confidence score with information on what percentage of peers in that new role have access can inform the decision maker on what action to take.
Shadow IT Governance
And lastly, shadow IT governance, allowing for the discovery of cloud application usage within an organization. As many of us are aware, non-approved applications are continually being used within organizations today and pose a threat by leaving openings to your organization that you aren’t aware of and can therefore not prepare for. Shadow IT governance allows for the discovery of these applications which would then give you the opportunity to secure them whether it be to onboard an application or to deny access.
How is your organization going about addressing these needs today? If your organization has needs around the drivers listed above, implementing an identity analytics solution can help.
Identity Analytics is a new part of the Cloud Identity family bringing analytics to uncover key insights across your IAM environment. Whether it be identity governance or activity related data sources, it’s important to identify risks and have the capability to efficiently take action on those identified risks. Identity Analytics within Cloud Identity is currently available in beta for existing IGI and ISIM customers. This is an opportunity to get in on the ground floor and provide feedback on what capabilities and use cases would be most impactful to your organization. If you’re interested in learning more or want to be enabled as an early adopter, please reach out to firstname.lastname@example.org.