Want effective identity governance? Here’s what you need to know

If you weren’t a believer before, SailPoint software architect Kelly Grizzle’s Navigate ‘18 talk The Power of Identity Context made you one: the more an organization understands about its users, the more effective its identity governance program will be and the better those users will be served.

Attaining effective identity management isn’t a new topic, Grizzle explained, but it has grown challenging and complex and becomes increasingly so every year. Much of the identity landscape we see today stems back to the late 1990s when many organizations began to automate the provisioning of staff and others to the internal applications and resources they needed to do their jobs. It was a challenge then, but it’s also a challenge today, and one that has grown considerably more complex as the number of data, applications, and online resources users must access has grown exponentially.

But not only have data and applications grown exponentially, but so has the need for identity context, or as Grizzle said in his talk: context is everything.

To show how vital identity context is, Grizzle asked the audience to consider the scourge of Russian bots that have been used to influence public political opinions. These trolls had power, Grizzle said, because they were able to maintain their actual anonymity and pose as American citizens. This power gave them an inordinate amount of influence. If people understood their identities and their motivations, that is if we have their proper identity context, they wouldn’t be an issue. We’d know to ignore them.

Enterprises have the same challenge with their users when it comes to understanding their context: who they are, what their roles are, as well as what resources they need access to fulfill those roles. “We have so much identity context today that it’s almost impossible for a person to make decisions that help to lower risk. They become inundated with so many requests and the complexity of those users has increased so that the cost of managing identity increases,” Grizzle said.

How will enterprises eventually come to manage increasingly complex identity context? With a little help from machine learning and artificial intelligence. “With artificial intelligence, the machine will help you to make those decisions and streamline identity governance processes,” he said.

Artificial intelligence can help enterprises to understand identity context better and share it among systems so that they can make smarter decisions, and you can also have all the other systems in your environment send data to IdentityAI to make identity context richer. “This will help lower cost, rationalize access levels to where they should be, and reduce risk,” Grizzle said.

Today, too many of these processes are manual and cumbersome. With the right information, artificial intelligence can help with the right data around users — such as who they are, their role, how long they’ve worked in that role, and other factors. Enterprises can use artificial intelligence and machine learning to help make effective decisions and expedite that approval processes.

But identities need to be integrated right, and for that Grizzle formulated the guidance to master identity context:

Never throw data away — artificial intelligence and machine learning need data and lots of it. And historical data is important to make smart decisions

Enrich identity context with your ecosystem (context in) — Other systems in an IT infrastructure produce valuable data events that show identity behavior as well as additional information (context) about the identity

Feed context back out into your ecosystem (context out) — This is either raw or enhanced information. Raw information is static information about the identity and its behavior. Enhanced information is insights derived from applying artificial intelligence.

Automate whenever possible — The enhanced identity information (context) can be used to automate or provide recommendations to other systems in your IT ecosystem. These will lower cost by making your processes more efficient and lower risk by helping to identify anomalies and improve the signal for analysis by filtering out non-risky things.

To show how these each build on each other, Grizzle shared what he called The Predictive Governance Pyramid.

At the bottom of that pyramid is context sharing. Context sharing is building identity context from the information shared regarding the nature of the infrastructure, identities, and their usage.

The next step is identity managers learning to trust the machine learning algorithms over time and as the machines learn the similarities between users, their levels of access, and their comprehensive “identity context.” Eventually, when the system sees a new user who was authorized access, it can provide recommendations on additional approvals that type of user typically gets. This will typically be for low-risk types of access. “An approver can start to see the suggestions that machine is making and get comfortable with the level of information it’s giving,” he said.

Once the identity manager trusts the feedback from the artificial intelligence, that’s when the magic can begin to happen and high levels of automation can be achieved.

How would that automation work? Each request for access could be scored on a risk scale. In the risk scale, zero could represent no risk while 100 would represent the maximum level of risk possible. “The organization could establish policies that set any score below a ten could automatically be approved, while anything with an 80 or higher would be automatically rejected,” he said.

This would reduce the access requests that required human decision making to the moderately risked requests. Grizzle says this is an important time in identity, and a perfect time for this kind of machine intelligence. “The number of identities and permissions that need to be managed makes it hard to improve access, cut costs, and reduce risk without machine learning. There’s so much going on you just can’t rely on humans to do it,” he said.