The Reveal Platform
With the compromise and misuse of identity emerging as a serious threat plane, the prospect of preventing data exfiltration through phishing and social attacks has become an amplified and urgent concern. Heightening security leaders’ alarm is the realization that IAM (identity and access management) has outlived its standalone usefulness, and that a profound discovery gap exists with privileged access, where the majority of these access entitlements are unaccounted for in most organizations. As a result, this creates a vast gray area of access in an organization’s environment which represents a serious unknown and a growing threat plane. Insider threat is becoming a serious and growing concern for security leaders.
Within the domain of advanced security analytics, the critical value of Identity and Access Analytics (IAA) has been observed by a range of industry analysts. Drawing from the context of big data and driven by advanced machine learning algorithms to deliver comprehensive visibility, it delivers the only realistically effective method to comprehensively manage and monitor identity-based risks and threats across all of an organization’s siloed environments. Identity and Access Analytics identify and minimize excess access and access outliers, thereby minimizing the threat of access risk plane. The use cases of IAA are what make this solution possible. The range of IAA use cases a solution vendor offers defines its scope of capabilities within the marketplace and is a critical assessment component prospective customers review when considering an IAA vendor’s qualifications and ability to address their challenges now and in the future. This white paper explores a comprehensive and optimal set of use cases for Identity and Access Analytics.
Identity and access management is the Achilles heel of organizations. In the past, IAM was the primary discipline for managing identities, access and facilitating access compliance for organizations. Recent growth in distributed applications (on-premises, cloud and mobile), an increasingly distributed workforce and fastmoving business priorities have surfaced the challenges with current IAM solutions including IGA, PAM and CIAM (identity governance and administration, privileged access management, and customer identity and access management). It is quickly becoming a key concern for security leaders understanding the role of identity compromise and misuse as the core of modern threats. IAA is the proactive side of advanced security analytics, enabling the reduction of excess access, access outliers, and orphan or dormant accounts, before they are compromised or abused, providing risk-based certifications and defining intelligent roles. IAA delivers the data science that improves IAM and PAM, leveraging machine learning models surpassing human capabilities to define, review and confirm accounts and entitlements for access. A primary objective of IAA is to assure the access plane is reduced as much as possible with the removal of any access risks, access outliers, orphan or dormant accounts, etc. IAA provides a risk-based approach for managing system identities and access. Using dynamic risk scores and advanced analytics data as key indicators for provisioning, de-provisioning, authentication and privileged access management, IAA assists in making intelligent access decisions to match the rapid pace of changing business needs.
Intelligent roles replace manually defined roles often created from legacy rules. Group and role proliferation, plus the buildup of accounts and entitlements for employees during their career in various roles, create unnecessary access to insiders or attackers. This is an identity access plane ripe for phishing and social attacks. Implementing an intelligent roles policy redefines and minimizes an organization’s access risk plane, providing the right member of the organization with the right data at the right time and place. This is a critical consideration because identity is a threat plane of rapidly growing importance.
Machine learning models provide 360-degree visibility for an identity, accounts and access with the ability to compare to peer groups, using baselines to determine normal and anomalous access. The impact of machine learning with IAA can radically reduce accounts and entitlements for an organization. This often represents the first phase in a project plan when adopting user and entity behavior analytics (UEBA) and IAA. The objective is to clean up the access plane with IAA to enable access only where it should be provided. Analysis with UEBA would follow this step to detect risks and threats beyond manually defined rules, patterns and signatures. These two disciplines can work holistically together to address identity as an access risk and threat plane.
A comprehensive set of use cases for identity analytics should include:
A more detailed description of each IAA use case follows:
A majority of privileged access (PA) often resides outside traditional access inventory and management systems, working at a coarse grain account level with legacy and manual tracking methods. Acknowledging that privileged access may come from entitlements for users outside an established privileged access group, the issue of effective management and security assurance is a critical concern. Managing privileged access effectively originates with privileged access discovery at the entitlement level as it defines privileged access, not the account level.
This begins with understanding who has PA with high privileged entitlements that may have escalated after provisioning or exist within applications and unstructured data. Most organizations understand that system administrator or shared accounts are traditionally managed and controlled by IAM or PAM solutions. However, beyond that scope are regular accounts with privileged access entitlements and privileged functions without a group association or legacy tracking method. Privileged access discovery involves a comprehensive identification of privileged entitlements analyzing access and activity across an entire organization’s solution silos, to assure a complete accounting of these privileged entitlements and accounts is achieved.
Benefits:
IAA identifies high-risk systems access by consuming access entitlements (rights) data from applications and platforms. This use case identifies access that is considered high-risk including: privileged access, access improperly segregating duties, dissimilar access compared to peers and infrequent access to systems. The average user has more than 100 entitlements making certification a time-consuming process for managers.
Organizations realize managers are too often approving all certification requests without actually validating each one. Certifications are typically a quarterly or yearly process leaving organizations at risk with employees having extended access to which they should not be entitled. Using Identity and Access Analytics integrated with identity and access management (IAM) systems, organizations can detect access outliers leveraging peer groups of users to trigger certifications for outlier access.
Benefits:
Shoring up access risk in the enterprise starts with reducing excess access and access outliers. Gurucul Identity and Access Analytics automates the access cleanup process. It identifies dormant and orphan accounts, and detects accounts with outlier access that are routinely missed by conventional IAM tools.
In large organizations people often forget about accounts that are left open by former employees, users in new job roles or anyone else who retains knowledge about the account. The risk is that orphaned accounts can be exploited by hackers or insider threats to gain access to systems with sensitive data. In addition to the security benefits, removing orphan and dormant accounts with IAA saves on licensing fees for SaaS applications and boosts productivity by preventing IT staff from manually searching for these difficult to find accounts.
To reduce the attack surface area posed by access, Gurucul IAA uses a risk-based approach for access requests and approvals to identify and remove excess access, access outliers, and orphaned/dormant accounts. These accounts are identified and sent to system owners or IT personnel for review. Action can be taken, based on the response, to assign the account to an end user, or remove the account from the system. Gurucul’s API integrations automatically send de-provisioning requests to provisioning systems where standard workflows can be applied to ensure access is removed appropriately. Once access removal is validated, user risk scores are adjusted when the product receives confirmation from the provisioning system that access has been removed.
Benefits:
Enable real-time risk based access policy enforcement of authentication levels for user’s access to systems, devices, and applications. Determine access control permissions and restrictions based on a user’s risk score versus hardcoded rules. A real-time risk score is calculated based on user outlier behavior percentage, resident user risk and reputation, and data or transaction risk classification. This score is then used to make real-time authentication and access decisions, while simplifying the user experience and enhancing security.
Benefits:
Outlier access capabilities can be extended to automatically send risk-based certifications to the business when outlier access is identified. Identity and Access Analytics uses multiple parameters to drive risk-based certification, including a user’s overall risk score, entitlement and account level risk score, and outlier scores from a context-rich configurable UI. Configurations may include several context points such as: access risk rating, peer group metrics, outlier risk scores and status recommendations. Mature Identity and Access Analytics solutions can send built-in certifications, or use APIs to integrate with other enterprise solutions to send certifications to end users or account owners for review.
Benefits:
Dynamic access provisioning can be used to determine access-control permissions and restrictions based on a user’s risk score. Risk scores are defined by machine learning algorithms from Identity and Access Analytics. They take into account several points of context including: user behavior, resource sensitivity, the job or role of the user, access of the user versus their peers, and the configuration of the device used to access resources. Dynamic access provisioning should also automatically update user permissions independently without additional administrator intervention when the user’s job or role changes. Example 1: Identity and Access Analytics determines user permissions when a user accesses a resource from their office computer versus when they use BYOD (bring your own device) over a virtual private network. Access may be reduced if the device is considered high risk (unknown, not patched, unusual location, etc.). Example 2: A user switches jobs, Identity and Access Analytics identify the job change and new peer groups are identified. Dynamic access provisioning automatically updates user permissions without administrator intervention for low-risk situations.
Benefits:
Access analytics software reviews role membership and identifies missing access, as well as, access to systems no longer in use by role members. The solution integrates with provisioning systems to ensure all changes made to access follow the standard provisioning process, and that each transaction is logged accordingly. The system can be configured to automatically inform users and resource owners of access changes. Roles are automatically reviewed for access no longer used or needed by role members.
Benefits:
Identity and Access Analytics can be used to review existing roles, or mine and define new roles. Unlike traditional role mining, Identity and Access Analytics uses machine learning algorithms that take into account access and activity. This ensures unused and unneeded access is removed from roles during the definition process. Roles can be easily exported for consumption by provisioning systems.
Benefits:
Segregation of duties (SoD) is an essential control over sensitive transactions. Role-based authorization and access often causes unknown conflicts in securing these transactions. Identity and Access Analytics automatically reviews existing roles and entitlements across systems and identifies inter- and intra-application segregation of duty risks. When these risks are identified, the Identity and Access Analytics solution via API integration can temporarily disable the access and send a notification to the business owner. The business owner can choose to accept the risk and allow the access, or deny the access. In both situations, Identity and Access Analytics solutions should support configurations to send updates to the business owner and to the identity management/access request system to ensure the central audit log is maintained.
Benefits:
Having a broad selection of Identity and Access Analytics use cases provides customers with the assurance that their access and Identity and Access Analytics requirements will be addressed. Assuring a vendor can support these use cases across both on-premises, in the cloud and hybrid environments, as well as being vendor agnostic, provides the strongest assurance that solution objectives are achieved.
The overall benefits of Identity and Access Analytics use cases include:
