Managing access can be quite a daunting task in mid-to-large sized enterprises. Having a good answer for “Who should have access to what?” is not easy, to say the least. With a myriad of existing applications, accounts, file systems, etc. that keep growing all the time, and with a dynamic workforce, e.g., new hires, joint collaborations, promotions, relocations, etc., awarding the right access to the right identity can be a messy ordeal. An accurate assessment of the access structure makes all the difference when it comes to compliance. Maintaining a high level of compliance with ever-evolving laws and regulations, not to mention the internal audit policies, can be quite challenging as they add yet another layer of complexity to a tough problem.
Role mining? Is that a new cryptocurrency? That’s precisely why we turn to the concept of “Roles” to keep our sanity. Simply put, and in an abstract sense, we could think of a role as a label that we attach to an identifiable access pattern. There are two main approaches to how these labels are generated and utilized in access governance. Role engineers most commonly start out creating attribute-based functional “business roles.” Although these roles make perfect sense as a starting point, they are slow to evolve to match the highly dynamic nature of the ever-growing access ecosystem.
The second approach relies instead on the discovery of the existing access patterns, labeling them as “IT roles.” This process is typically referred to as “role mining.” While it is more dynamic than the former approach, it comes up short in support of compliance and audit requirements as it is unable to validate access based on business involvement. To remedy this, some companies go through the additional process of “role mapping” or “role assignment” to map the “IT roles” back to the corresponding “Business roles.” This process is highly resource-consuming as it has to be performed on a regular basis to keep up with the dynamic evolution of access in the enterprise.
If you’re role-engineering and accumulating a lot of complex rules and roles, you can probably do better. Enterprise-scale IAM systems are highly dynamic with new and existing entities shifting through time. The lack of a clear view of the access structure makes role engineering work tedious and short-lived. Not to mention having to deal with challenges such as inaccurate access validation due to reckless, wide-spread approvals, or entitlement inflation caused by outdated permissions lingering over time.
In our view, any reasonably effective solution to the access management problem has to view it as a dynamically evolving complex system balancing both approaches. In layman’s terms, it’s like a chicken-and-egg scenario but with the hustle and bustle of day-to-day business that keeps changing the rules of the game. While a clear business role assignment would make perfect sense for a new joiner, the clarity easily dissipates as more and more access entitlements are added for employees to perform their duties and boost productivity.
In governance, your peers define you! Identity governance is predicated on the principle that strongly similar identities should be awarded the same access. In other words, your access profile should not be too much different from your peers. The key observation here is that ‘Peer’ relationships are not very dissimilar from the ‘Friend’ relationships found in common social networks today. Identity governance can then be represented via a social data structure similar to a network of friends sharing common interests. Identities, their attributes, and associated access patterns can then be analyzed and modeled by a powerful and versatile graph data structure where we can easily track, map, and manage the dynamic relationships between these entities as they evolve.
Found my role yet? With a proper choice of an identity-to-identity similarity measure, e.g., based on the similarity of access entitlements, we could construct the ‘identity graph.’ Nodes of the graph represent identities with connections representing a strong-similarity relationship. In this setup, access modeling for a scoped population of identities (e.g., identities with job title “analyst”) becomes a matter of identifying the densely connected communities of the scoped identity graph. With a plethora of graph algorithms for community detection and graph analytics in general, this problem is much easier to solve. This approach not only enables the automation of one of the most resource-consuming problems in identity governance today, but it provides us with an elegant, scalable, and dynamic solution to the ‘chicken-egg’ problem yielding the best results of both ‘Business roles’ and ‘IT roles’ worlds.
Could I have this role, or should I? Our new approach can help companies without prior role definitions quickly establish, while dynamically and accurately model, the evolving access system in the enterprise. Companies with existing role definitions can additionally benefit by being able to validate newly mined roles with respect to existing role structure. A role graph can be constructed by leveraging the same approach utilized to construct the identity graph. The ‘role graph’ is a great way to represent the lay of the land of the true state of access management system in the enterprise. By providing quantifiable responses to questions like “How similar the new role to existing ones?”, “Is the new role part of or a generalization of existing role(s)?”, this approach leaves no stone unturned in its assessment of the enterprise-wide role structure. Even more, it yields significant savings of time and money, as it renders frequent, labor-intensive role engineering do-overs a thing of the past.
This assessment allows us to validate the entire role structure, identify issues, and recommend the proper action accordingly. Highly similar roles may end up being consolidated into fewer, more-defined roles, thus eliminating redundant legacy roles and trimming down individuals’ access to the proper level. A “role recommender” could suggest the most appropriate roles for the identities whose access profiles are strongly similar to these roles. Moreover, identities whose access profiles are not strongly similar to any existing role could be easily identified, and proper action can be recommended, e.g., triggering a role mining action alert.
It also allows us to construct a compliance early warning system to issue alerts when certain role-based policies have been violated.
By utilizing time stamps for access-related events, we gain the ability to observe how these roles have changed in composition, as well as the identity attributes and/or entitlements that triggered the process. This not only provides a live replay-button for a predictive and proactive governance system but also enables the interpretation of access history events, which can be a valuable resource for audit purposes.
The dawn of a new age! The network graph approach is a game changer for identity governance applications. In addition to enabling the automation and scalability of solutions for some of the most challenging problems in identity governance today, it also provides us with a simple and elegant data structure that can be heavily utilized for further AI & Machine Learning applications. Graphs are but a useful data structure, this is the first step towards a more predictive, cognitive future of identity governance. By adopting and developing state-of-the-art solutions into current products, SailPoint maintains its position at the forefront, leading towards a smarter, AI-powered, IGA future.
Since this blog was published, SailPoint’s “System and Method for Peer Group Detection, Visualization and Analysis in Identity Management Artificial Intelligence Systems Using Cluster-Based Analysis of Network Identity Graphs” patent was granted. See the patent technology here.