For years the IAM market has been one of reaction and detection. As we look toward the future our focus should turn to the world of analytics, and the ability to predict and respond to governance issues. Access requests should no longer be a la carte, but Amazonesque in the selection. Data mining patterns should reveal users with similar attributes and access, allowing for easy detection of access profiles, and suggested if not automated remediation of anomalies. We have to move at the speed of now. A quarterly access review that reveals too much-elevated access was a great start, but now we need to be able to prevent that access from even accumulating. Governance should be a real time, 24–7 activity that reacts to user behavior. In my opinion, that’s the true power of analytics. Yes, we can have some fancy charts and interactive reports that make the UX guys do their happy dance but the real return on analytics is the ability to take immediate determinable action from the data that is generated by IAM systems. Let’s define a couple of events and dig into them a little deeper shall we?
What should analytics look like?
So let’s paint a picture of the value that analytics can provide to your identity governance implementation. We’ll look at three categories of statistical behavior
- Data clustering (the ability to detect like users)
- Weighted search (access request should be filtered based on patterns of the previous requests)
- Automated remediation (removal of anomalous access)
This is by no means an exhaustive list of the functionality that true analytics can bring to your governance program, just a sneak peek into what can be done. So without further ado, let’s dig into it!
One of the fundamental aspects of sorting through information is the ability to apply patterns and classify the data being seen. Since a young age, human beings have been taught to classify information into different categories as it allows us to quickly distinguish between items. Applying this to the world of identity, the ability to detect patterns amongst your user base will allow you to classify your users based on a number of things such as access, attributes, or a combination of both. Let’s break that down into an example. Let’s say that you’ve got a user base of 10,000 users and after a run of clustering you see that you’ve got 4 groups of users with similar access entitlements. You can now examine those groups closer and see what other common attributes these users have besides their access. This can help drive role creation for this set of users, or taking it a step further dynamic access policies for future users that may fall into this cluster. The key thing here is that an action is taken based off of actual data, and as that data changes you can adjust those actions accordingly.
You know when you go to that one website to buy items, and every time you come back it seems like it automatically knows what you’re looking for? Welcome to the world of weighted search! Now let’s apply that to an access request system. You log on to the system and based on previous users that have your same characteristics you see access that is geared towards you. Perhaps the most requested access in your department is to the financials application, so that’s moved to the top of your list for things to request.
This allows a user’s search to be guided towards things that will most likely need, and moving down the things that aren’t relevant, allowing for requests that are more likely to be approved. Taking a step further, over time the results of the weighted search will give insight into what access can either be automatically assigned (high request frequency) or removed (low request frequency). Again the key here being that statistical data is providing the input to create better decisions, and provide deeper insight into how access is being governed in your environment.
So far we’ve focused mainly on what users have in common. We’ve looked at clustering users based on their access, we’ve looked at finding similar patterns for access requests. Now we’re going to focus on users that don’t match, or as we’ll call them here, anomalies. We can really look at this as an additional feature that we get from running our clustering example above. With analytics, you can see which users and their access stand out from the crowd. You can apply rules around those outliers to automatically remove access from these users to have them conform with rest of the group. Taking a little more conservative route you can run focused certification campaign on just those targeted users to have their manager attest their access, allowing you to put the focus on users that pose the biggest risk. Starting to sense a pattern here?
This just scratches the surface on the things that can be accomplished by bringing the world of statistical analysis to identity and access governance. “Big Data” has been all the rage in the tech world for some time now and with good reason. Numbers never lie. The ability to provide factual information in regards to an event is crucial in trying to decipher any problem. It’s an even bigger advantage when trying to determine the next event before it happens. The main objective in with any identity and access program is to stop unauthorized access. Period. Will you ever completely stop it from happening, doubtful, but the more information you have and more importantly, the more you can do with that information, the better equipped you are to take action.
This blog post is co-published on David’s blog, identityverse.