In-Depth
IAI: Big Data Analytics for Data Security
IAI is a new approach to the problem of identifying unauthorized user behavior that augments other types of security products and processes. Here's how it works.
By Bob Glithero
Search for the expression, "identity management failure," and you will find no shortage of opinions about why multi-million dollar identity provisioning and audit projects go bad. What identity management (IdM) professionals and their executive sponsors often fail to grasp is that their access control models are working against them.
Without good information about users, identities, and activity in the enterprise, managers and developers are forced to make assumptions about users, what they do, and what they should do. These assumptions almost always fail to capture the actual needs of users and the state of enterprise user activity. The result is IdM projects that bog down -- as identities are defined and re-defined, and policy rules expanded -- when new user behaviors are uncovered. The result is a waste of both time and money and gaps in access control that lead to data breaches.
Identity Access Intelligence (IAI) is an innovation in data modeling and analysis that uncovers the true relationships between users, identities, rights, and enterprise resources. With IAI, managers and executives can have an accurate view of actual user activity and a better sense of where policy violations are occurring. The application of IAI techniques leads to better design of access policy, less time spent investigating false positives, and properly prioritized access risks.
Why IAI?
Existing methods of discovering policy violations use models of relationships between subjects (users) and objects (resources) based on static roles or rules. These usually fire an alert if a particular subject-object combination violates a condition (typically expressed as SQL).
For example, there might be a basic rule that allows a user access to a resource, a file, or a record. However, an access policy developer may not account for environmental or situational parameters, such as time and location. Access to a sensitive system during normal business hours may look legitimate. What if the user is trying to get access to the same system at 3 A.M., or from 3,000 miles away? Is this legitimate or illegitimate behavior? The user could be working late or traveling, or someone may have compromised the account.
An employee may not even have a single identity or role, but rather several in an enterprise: employee, customer, beneficiary, and debtor, for example. These identities may not be linked in the enterprise's databases. Depending on the identity in use, is access to a given system or set of data appropriate? Manually modeling all of these types of scenarios is tedious.
Users are what they do, not what an programmed access model defines. Static rules are blind to behavior. They don't account for the dynamic nature of enterprise activity and the need for operational flexibility. It's possible to write exceptions, but multiply exceptions across geographies, users, and resources and the result is a tangle of policy logic that needs ever-increasing levels of manual maintenance -- exactly what executives were trying to avoid by buying identity management automation.
By contrast, IAI methods use learning algorithms and automated heuristics to discover and reveal the actual hidden underlying structure of relationships among users and resources. The source material for this analysis is raw, unmodified data about user identities, rights, and activity from extracts of directories, identity management products, HR systems, access control lists, and activity logs.
Access patterns of a particular user can be evaluated against a derived enterprise access structure, even if the underlying structure changes over time. For example, IAI can examine a particular type of access and evaluate this against past behavior, that of others who access the same system, or whatever behavioral fingerprinting is relevant -- even pathway analysis, the timing and order of a user's system, file, or record access -- to determine if an access exception has occurred.
By examining an entire system of relationships as a whole and discovering previously unknown relationships between users and the resources they access, IAI automates and accelerates the discovery of problem access and security violations.
Identifying User-Resource Relationships is the Key
Enterprises create volumes of user activity data which are the cross-products of organizational units, identities, resources, roles or rules, and rule exceptions. Identity management (IdM) professionals need an efficient strategy for determining how data relationships should be modeled in access control. Savvy IdM personnel know they only have limited insight into each user's operational context in the enterprise. They may also have only partial visibility of which data attributes are needed for productive analysis and whether the attributes vary over time.
Many enterprises try to cope with the problem of missing operational context though an ongoing patchwork of ad hoc rule gathering as context is discovered. However, this practice is vulnerable to the creation of inconsistent or even conflicting access control rules within different organizational units. The result of this patchwork is defective access policies, gaps in access control, and ultimately data access violations.
Modeling Actual User Behavior is Hard
The non-IAI approach further degrades when the enterprise has scenarios requiring users to have conditional or situational access. The legitimate access needs of users evolve and vary over time. Some roles and relationships are temporary, and others permanent. Sometimes allowable access depends on environmental factors or the state of a given resource. In typical identity- management and audit applications, conditional access is addressed by coding exceptions to roles or policy rules.
Unfortunately, exceptions have a multiplicative effect on the number of roles or rule sets needed to describe the access control system. In a large enterprise, maintenance of roles, rules, and exceptions, and the need to frequently generate new ones, quickly becomes awkward. For example, in a hospital, as patients move from one unit to another in the care work flow, the roster of doctors and nurses allowed to access medical records changes. Moreover, floaters who share time between departments can be difficult to model. QA nurses look at selected records of patients, and their access patterns can look like unauthorized access.
IAI Reveals Actual Data Relationships
IAI improves access control design and execution by reducing the chance that undiscovered or overlooked subject and object relationships will lead to breaches of user access control. From an IAI perspective, a user is what she does. Her revealed behavior, not assumptions about her role, is central to effective access control.
True IAI doesn't view users, rights, and resources independently. Using big-data technologies such as distributed, schema-less databases and machine intelligence, IAI analyzes existing and emergent user attributes from enterprise identity, rights, and access data to discover relationships between users and resources. The subject-object relationship itself is the unit of analysis in IAI, which derives the entire state of enterprise user access and pinpoints outliers from the normal state.
From the IAI data reduction, a user's relationships to resources can be compared with those of other users or with the user's own at a different point in time. IAI goes beyond simple binary answers; it determines the degree of similarity or difference between a user's behavior and that of her cohort. Behavior that's unusual, whether it resembles that of users with different job roles or of no other user, will stand out.
The output of IAI-based analysis provides insights that guide the IdM process efficiently: was the user originally assigned permissions inconsistent with job requirements, or do her access rights need adjustment because of new job responsibilities? Does she float between departments? Does she need exceptions to certain access rules or does her behavior indicate a need for a new role or rule? These types of insights help architects, managers, and executives to better target the roles or rules they need for effective access control.
Conclusion
IAI is a new approach to the problem of identifying unauthorized user behavior that augments other types of security products and processes. It gives security professionals more targeted information about logical access control across the enterprise than they get from existing data aggregation and identity management tools, so they can pinpoint their assets on problem areas. The result is better access control with less wasted time.
[Editor's note: For more about IAI, see Bob's previous ESJ article, How Identity and Access Intelligence Maximizes Identity and Access Management.]
Bob Glithero is vice president of business intelligence for Veriphyr, Inc.,
a provider of identity and access intelligence solutions. You can contact
the author at bglithero@veriphyr.com.