How Identity and Access Intelligence Maximizes Identity and Access Management
Forward-thinking organizations will use identity and access intelligence to extract actionable insights from the IAM process and place them in the hands of business managers.
By Bob Glithero, Vice President of Business Intelligence, Veriphyr, Inc.
Organizations implementing identity and access management (IAM) solutions are looking for a shorter path to business value and improved return on investment (ROI) from their investment. Identity and access intelligence (IAI) describes an emerging category of applications that mine identity, rights, and activity data for intelligence that is useful to the operation of the business, as well as to the deployment of an IAM system. It can accelerate IAM, and once IAM is in production, serve as an analytical layer that augments IAM.
What is new about IAI is its focus on the needs of the business manager. It assumes that business line managers, not IT personnel, have the best knowledge of what resources their direct reports should or should not be accessing, when they should be accessing it, and the level of resource utilization that’s appropriate. IAI informs the IAM process in a way that provides rapid value to business managers, generates the buy-in from business stakeholders that is needed for a successful project implementation, and improves ROI from the IAM investment.
IAI is both a process and an output. IAI uses an analytical process to discover user rights and activity patterns hidden in directory, application, system, and network data. The data can be sourced either directly from an IAM system or from directory, application, and activity stores if IAM is not implemented. The output of the analysis provides insight into user behavior patterns delivered in a format that business managers can easily understand and use to improve decisions about business processes, asset utilization, and security.
In general terms, the IAI process consists of four steps:
- Data extraction: Data from identified input sources are read in to the IAI system. Identities, rights, and activities are aggregated.
- Data normalization: Input sources typically store and organize data in varied formats. Some data may be missing or incomplete.
- Analytical processing and enhancement: Identities are correlated across disparate systems and applications, and identities are mapped to rights, resources, and activities.
- Output: Data can be exported to other systems for additional processing or displayed in reports for manager review.
Use Cases for IAI
The initial use cases for IAI occur in two areas: IAM operations and compliance and security. IAM operations provides most of the initial data into IAI. The hidden undercurrent of activity captured by IAM and fed into IAI provides insight into how the business actually runs, whereas the initial IAM implementation depends on managers’ assumptions about how the business runs.
Much useful data is already being collected by the enterprise in its directories and application event logs. The challenge is to extract useful information, particularly from custom applications that were not primarily designed for ease of information sharing. IAI technology is now available to automate extraction of data from disparate identity, rights, and activity stores and correlate identity, rights, and user activity. Moreover, IAI can extract usable data and provide useful insights to improve the IAM process, even when formal IAM application deployment is incomplete.
A basic question that arises at the inception of IAM deployment is, “What should be the end state of user identities and rights after deployment, versus where the organization is today?”
Even before an IAM roll out, IAI technologies that query identity, rights, and activity stores can provide a baseline view of user identity, rights, and activity, pinpointing privileges and access that should be cleaned up. This enables a new approach to the IAM project: policy audit and validation before policy enforcement. By highlighting problem access policies and user activity, IAI provides a quick win for the IAM team and its executive sponsors. This approach builds confidence in the IAM project until the provisioning elements are activated and policy enforcement begins.
The benefits of IAI continue throughout the life cycle of the project. IAI can be used to validate the IAM implementation as work progresses; IAI can also be used to accelerate deployment. Identity and rights cleanup can represent up to 60 percent of the initial effort of IAM implementation. The time and effort needed to clean up legacy identity and entitlements data, particularly when there is no common identifier across systems, is a major obstacle to timely deployment. Easing identity and rights clean-up reduces project risk and accelerates implementation. Well-designed IAI technology can be used to:
- Read data from multiple formats, even if the data is incomplete, damaged, or unorganized
- Correlate multiple user IDs to a single identity, even if there is no common identifier
- Discover dormant and orphaned accounts, excessive rights, and obsolete roles
Finally, the burden of enabling role-based access control can be eased with automated role discovery, which IAI enables based on combining and analyzing rights and activity. Adding user activity to the analysis allows the discovery roles based on what people actually do, as opposed to role mining from a collection of static rights.
Compliance and Security
IAI naturally lends itself to identifying unauthorized user access to applications and systems, identifying user privilege creep (the tendency of users to accrue excess privileges over time), and behavioral fingerprinting (the ability to track access to applications based on identity and behavior, not on network attributes). Behavioral fingerprints (e.g., correlation of time and order of system and application access) are harder to spoof than network attributes. Unusual behaviors provide an early warning of security problems.
For example, a user who suddenly accesses systems outside of his or her normal patterns can signal the presence of an intruder, a compromised password, or a privilege escalation attack. Behavior fingerprinting of multiple users can improve the ability to see fraud “chains” -- group activity patterns that appear suspicious even though individual activity might not raise an alarm.
Benchmarking Against Key Performance Indicators
IAI output can be used to benchmark IAM performance against historical norms. If IAI is delivered by a hosted provider with aggregated and anonymized data, the analysis can be extended to include industry peers or other targets. Some measures of IAM effectiveness that can be benchmarked include the number of dormant accounts (active accounts that are not accessed), the number of orphan accounts (active accounts found in applications that do not exist in a directory or identity store), the number of active accounts for terminated users, the number of shared accounts, average time to terminate user accounts, average time to provision accounts for role changes, and percentage of users with inappropriate rights to sensitive applications.
Benchmarking can also incorporate measures of resource utilization that are interesting from the perspective of cost management (e.g., number of excess software licenses), or productivity management (patterns of system or application usage by remote workers).
Customer Activity Trends
For organizations that incorporate customer-facing systems into IAI, data can be used to explore the relationships between customers and the data they access to identify opportunities for up-selling and cross-selling, or to identify opportunities for service improvement.
Forward-thinking organizations will use identity and access intelligence to extract actionable insights from the IAM process and place it in the hands of business managers. Those that do will reap significant and lasting benefits, including a shorter path to business value and improved ROI from IAM, improved user access compliance, better benchmarking of key performance indicators in IAM, and deeper engagement from business stakeholders outside the IT department.
Bob Glithero is vice president of business intelligence for Veriphyr, Inc., a provider of identity and access intelligence solutions. You can contact the author at email@example.com