Real-Time Access Control Automation Using Risk and Intelligence
Gurucul Identity Analytics (IdA) comprehensively manages and monitors identity-based risks and threats across an organization’s siloed environments. Using big data, Gurucul provides a holistic 360-degree view of identity, access, privileged access, and usage in the cloud, on mobile and on-premises. IdA reduces the access plane by detecting and removing access risks, access outliers, and orphan or dormant accounts. This improves an organization’s security posture by significantly decreasing the number of accounts that can be compromised or abused.
Identity Analytics delivers the data science that improves IAM and PAM, enriching existing identity management investments and accelerating deployments. IdA surpasses human capabilities by leveraging machine learning models to define, review and confirm accounts and entitlements for access. It uses dynamic risk scores and advanced analytics data as key indicators for provisioning, de-provisioning, authentication and privileged access management.
The impact of machine learning with Identity Analytics can radically reduce accounts and entitlements. Machine learning models provide 360-degree visibility for an identity, accounts and access, with the ability to compare to peer groups using baselines to determine normal and anomalous access. The objective is to clean up the access plane to enable access only where it should be provided.
Gurucul Identity Analytics Use Cases
Privileged Access Discovery
Get a complete accounting of all privileged entitlements and accounts. Discover who has privileged access with privileged entitlements that may have escalated after provisioning or exist within applications and unstructured data. System administrator or shared accounts are traditionally managed and controlled by IAM or PAM solutions. However, beyond that scope are regular accounts with privileged access entitlements and privileged functions without a group association or legacy tracking method. Managing privileged access effectively originates with privileged access discovery at the entitlement level as it defines privileged access, not the account level. This enables security leaders to manage, monitor and control privileged access with optimal effectiveness and reduced risk.
Access Outliers and Excess Access
Identify high-risk systems access by consuming access entitlements (rights) data from applications and platforms. The average user has more than 100 entitlements making certification a time-consuming process for managers. Certifications are typically a quarterly or yearly process leaving organizations at risk with employees having unwarranted extended access. Using identity analytics integrated with identity and access management (IAM) systems, organizations can detect access outliers leveraging peer groups of users to trigger certifications for outlier access. Detect dormant and orphan accounts. Reduce access not associated with job responsibilities and potential account compromise risk.
Outlier Access Cleanup
Automate access cleanup processes. Eliminate the need to go to each endpoint to remove access. Discovered outlier access can be marked for removal. Identity analytics leverages API integration to automatically send de-provisioning requests to provisioning systems where standard workflows can be applied to ensure access is removed appropriately. Removal is validated, and user risk scores are adjusted when our identity analytics solution receives confirmation back from the provisioning system that access has been removed.
Risk-Based Access Certifications
Automatically send risk-based certifications to the business when outlier access is identified. Identity analytics uses multiple parameters to drive risk-based certification, including a user’s overall risk score, entitlement and account level risk score, and outlier scores from a context-rich configurable UI. Configurations may include several context points such as: access risk rating, peer group metrics, outlier risk scores and status recommendations. Enable the business (managers, data owners, role owners) to make decisions about removing or retaining outlier access to their assets.
Dynamic Access Provisioning
Enable automated workflow approvals with dynamically generated risk scores. Determine access control permissions and restrictions based on a user’s risk score. Risk scores are defined by machine learning algorithms from identity analytics. They consider several points of context including: user behavior, resource sensitivity, the job or role of the user, access of the user versus their peers, and the configuration of the device used to access resources. Dynamic access provisioning automatically updates user permissions independently without administrator intervention for low-risk situations and when the user’s job or role changes. Access to resources are based on risk versus hard-coded rules. Automatically remove access when unknown devices and locations are in play.
Role Access Reconciliation
Review role membership and identify missing or unused access Automatically update users within a role to have all the access that the role provides. Ensure access additions and removals are centrally logged with integration of provisioning or ticketing systems. Automatically notify role owners and business users of access changes due to updates made to role access. Roles are automatically reviewed for access no longer used or needed by role members.
Role Mining and Intelligent Roles
Review existing roles, or mine and define new roles. Intelligent roles replace manually defined roles often created from legacy rules. Group and role proliferation, plus the buildup of accounts and entitlements for employees during their career in various roles, create unnecessary access to insiders or attackers. This is an identity access plane ripe for phishing and social attacks. Implementing an intelligent roles policy redefines and minimizes an organization’s access risk plane, providing the right member of the organization with the right data at the right time and place. Unlike traditional role mining, identity analytics uses machine learning algorithms that take into account access and activity. This ensures unused and unneeded access is removed from roles during the definition process. Roles can be easily exported for consumption by provisioning systems.
Access Governance and SoD Monitoring
Detect SoD rule violations within applications and between applications and automatically remove access. Segregation of duties (SoD) is an essential control over sensitive transactions. Role-based access often causes unknown conflicts in securing these transactions. Identity analytics automatically reviews existing roles and entitlements across systems and identifies inter- and intra-application SoD risks. When these risks are identified, access is temporarily disabled, and the business owner is notified. The business owner can choose to accept the risk and allow access or deny access. In both situations, identity analytics supports configurations to send updates to the business owner and to the identity management system to ensure a central audit log is maintained.
Dormant and Orphan Account Management
Reduce the risk of orphan or dormant accounts being compromised or misused. Automatically identify dormant and orphan accounts. These accounts can be sent to system owners or administrators for review. Action can be taken, based on their response, to assign the account to an end user, or remove the account from the system. Automatically disable accounts and notify the owner when there is no decision.
Gurucul Identity Analytics Benefits
65% Reduction in On-Boarding Time
- Increase productivity using zero-day dynamic access provisioning
- Reduce risk through dynamic remediation
60% Reduction in Manager Time During Certifications
- Focus only on risky and outlier access reviews
- Enhance the user experience and reduce rubber-stamping
- Run contextual searches on IAM data to deliver significant compliance and audit cost savings
50% Reduction in Privileged Access Risk
- Discover privileged access and move to the vault
- Risk score outlier access and anomalous behavior
40% Reduction in Excess Access (Accounts & Entitlements)
- Facilitate the elimination of unwarranted access entitlements
- Amplify the productivity of security analysts
- Reduce the attack surface
5% Reduction in Software Subscription Licenses
- Save on licensing fees for SaaS cloud applications by removing orphan and dormant accounts
“Identity Analytics forms the foundation of our overall control set at Aetna. We have a risk score for all our users that is derived from Identity Analytics. That risk score is one of the primary factors in many of our downstream controls.”
– Kurt Lieber, CISO, Aetna