Finding the Needle in the Needlestack: Moving Towards a Smarter Risk Detection, Modeling & Assessment

What is risk? Risk is a nebulous concept, albeit highly intuitive, or probably too generic of a term. The thing about risk is that to develop effective tools to deal with or mitigate its ill effects, one would typically require highly non-trivial and specific details. For example, risk from a looming epidemic needs no introduction, but for epidemiologists to create accurate predictive models to recommend a proper course of action, it makes a night-and-day difference to know certain specific details about the pathogen. Is it airborne, resistant to drugs, existence, and availability of vaccines, most susceptible populations, incubation period? Etc.

Even when restricted to the realm of access governance and administration, it is still not all that clear. Risk to a hedge fund or financial-services company could be quite different from those of a health services or insurance company. Moreover, the accurate modeling of risk heavily relies on what’s at stake in terms of policies, regulations, access patterns, access points (applications, file systems, tokens, assets, etc.), plausible threats, and several other potential liabilities. It is then reasonable to believe that creating exhaustive risk models that could accurately predict and prioritize different types of access-governance threats across multiple industries may not be immediate or easy of a task.

On the other hand, for most customers, the main concern in this regard is how to make access governance more secure while maintaining a high degree of transparency to support future audit processes. While risk modeling is one way to achieve such goal, there are more straightforward and far more immediate approaches that not only will help identify and mitigate risk in access governance but could also provide us with the necessary knowledge to develop universal risk models.

In identity governance, your peers define you!

Identity governance is predicated on the principle that strongly similar identities should be awarded similar access. In other words, your access profile should not be too much different from your peers. Consequently, identities whose access patterns are dramatically and unjustifiably different from their peers should be considered a source of risk.

Consider the case of Jane D., a senior analyst at Acme Corp for 10+ years. During this time, Jane has collaborated with countless teams on joint projects. Throughout the years, she had accumulated hundreds of access entitlements. As a result, her entitlement peers are VP-level executives. Now, what’s wrong with this scenario? The issue here is that Jane, albeit a highly active & effective employee, does not receive any of the security training or oversight that a VP- level individual typically goes through. Moreover, if any of Jane’s accounts is compromised, the damage might be hard to contain. This situation is an example of an access ‘anomaly.’ Identifying all these anomalies and recommending a proper action, e.g., triggering special certification event, revoking unutilized access, role assessment, etc. will improve security by mitigating the risks from these anomalous identities.

One person’s signal is another person’s noise. The lack of a broad perspective and comprehensive view make organizations vulnerable to threats that are impossible to detect by traditional filter and join techniques. So how could we identify these anomalous identities? Well, to find anomalies, we need to define what is normal. Access analytics of raw data might help but can only go so far. A faithful representation of the access ecosystem featuring an entitlement-similarity measure, or ‘peer’ relationships, would provide the necessary data structure for this use case.

The key observation here is that ‘Peer’ relationships are not very different from the ‘Friend’ relationships found in common social networks today. Identity governance can then be represented via a social data structure similar to a network of friends sharing common interests. Identities, their attributes, and associated access patterns can then be analyzed and modeled by a powerful and versatile graph data structure where we can easily track, map, and manage the dynamic relationships between these entities as they evolve.

With a proper choice of an identity-to-identity similarity measure, e.g., based on the similarity of access entitlements, we could construct the ‘identity graph.’ Nodes of the graph represent identities with connections representing strong-similarity relationships. The identity graph not only provides the perfect data structure for this use case, but graph analytics algorithms will provide us with the necessary tools to define & identify anomalous identities as outliers. In this setup, outlier identities are the ones with extreme values for a particular graph analytic.

The 99 flavors of outliers in IGA

With the network graph data model, several types of outlier identities can be identified. To list a few, singleton identities, represented by isolated nodes of the identity graph, due to extremely low similarities to every other identity, either globally or within a particular department, location, title, etc. Structural outliers, on the other hand, refer to identities whose entitlements, and hence their strong similarity connections put them in special locations on the graph where they could unjustifiably serve as major influencers, e.g., causing spread of privileged access.

But why stop at identities? With the help of the entitlement and role graphs, which could be constructed in similar fashion, we could identify outlier entitlements or roles. For example, singleton entitlements will correspond to entitlements that are not concurrently assigned with others as part of a role or a common access pattern. Roles that are densely congregated indicate extremely high similarities that may warrant a role consolidation recommendation.

Our network graph approach lays the foundation for an outlier detection & management engine that allows the user to proactively discover & prioritize vulnerabilities of access management systems. At the same time, it enables an autonomous, intelligent decision-support recommender to advise on proper actions. These tools will be query-enabled to maintain a high degree of transparency with the user and support any future audit inquiries.

The future is AI-powered

Anomaly & outlier detection is only the beginning. It’s one step for compliance, a giant leap towards universal risk modeling. Our network graph approach provides the necessary data structure to define, identify, and prioritize several types of access-centric risks within the enterprise. It paves the way for intelligent recommenders to provide & automate the most appropriate actions and does that in a completely transparent fashion. This is the first step towards a more predictive, cognitive future of identity governance. By adopting and developing state-of-the-art solutions into current products, SailPoint maintains its position at the forefront, leading towards a smarter, AI-powered, IGA future.

Since this blog was published, SailPoint’s “System and Method for Peer Group Detection, Visualization and Analysis in Identity Management Artificial Intelligence Systems Using Cluster-Based Analysis of Network Identity Graphs” patent was granted. See the patent technology here