KuppingerCole Analysts' View on IAM 3.0/4.0



Different, better and compliant – Business-orientated Access Governance

Matthias Reinwarth

Identity Management and Access Management are on their way into the first line of defence when it comes to enterprise security. With changing architecture paradigms and with the identity of people, things and services being at the core of upcoming security concepts, maintaining identity and Access Governance is getting more and more a key discipline of IT security. This is true for traditional Access Governance within the enterprise and this will become even more true for the digital business and the identities of customers, consumers, partners and devices.

Many organizations have already established Access Governance processes as a toolset for achieving compliance with regulatory requirements and for mitigating access-related risks on a regular basis. Identity and Access Management(IAM) processes accompany every identity through its complete life cycle within an organisation: The management of corporate identities and their access to resources is the combination of both IAM technology and the application of well-defined processes and policies. Traditional ways of adding Access Governance to these processes include the implementation of well-defined access request and approval workflows, the scheduled execution of recertification programs and the analysis of assigned access rights for the violation of the Segregation of Duties (SoD) requirements.

While the initial cause for creating such a program is typically the need for being compliant to regulatory requirements, mature organisations realize that fulfilling such requirements is also a business need and fundamental general benefit. The design and implementation of a well-thought-out dynamic, efficient, flexible and swift identity and access management is the foundation layer for an efficient and proactive Access Governance system.

This requires appropriate concepts for both management processes and entitlement concepts: Lean and efficient roles lead to simplified assignment rules. Intelligent approval processes, including pre-approvals as the default for many entitlements reduce manual approval work and allow for easier certification. Embedding business know-how within the actual entitlement definition allows for the specification of more and more processes in a way that they do no longer require any administrative or business interaction.

Aiming at defining and implementing automatable access assignment and revocation processes in fact reduces the need for various Access Governance processes. Once the processes are designed in a manner that they prevent the assignment of undesirable entitlements to identities and that they make sure that entitlements no longer needed are revoked from identities, they make many checks and controls obsolete. On the other hand, the immediate and automated assignment of entitlements whenever required fulfil business requirements in making people effective and efficient from day one. Subsequent business process changes and thus changes in job descriptions and their required access rights can be propagated automatically without further manual steps.

Applying risk assessments to each individual entitlement is a crucial prerequisite when it comes to analysing assigned access. Once all access is understood regarding its criticality, a risk orientated approach towards recertification (i.e. high-risk entitlements more often and faster) can be chosen and by default time-based assignments of critical entitlements can be enforced.

Well-defined access management and Identity Management life cycle processes can help to ease the burden of the actual Access Governance exercises. Before looking into further, often costly and tedious measures, redesigning and rethinking assignment and revocation processes in an intelligent manner within a lean entitlement model might help in improving efficiency and gaining security.



Adaptive Policy-based Access Management (APAM)

Graham Williamson

Attribute-based Access Control (ABAC ) has been with us for many years; it embodies a wide range of systems that control access to protected resources based on attributes of the requesting party. As the field has developed there are three characteristics that are most desirable in an ABAC system:

  • it should externalise decision making i.e. not require applications to maintain their own access control logic
  • it should be adaptive i.e. decisions are made in real-time
  • it should be policy-based i.e. access permissions should be determined based on after evaluation of policies
  • it should be more than just control i.e. user access should “manage” user’s access control.

Most access control environments today are role-based. Users are granted access to applications based on their position within an organisation. For instance, department managers within a company might get access to the HR system for their department. When a new department manager joins the organisation they can be automatically provisioned to the HR system based on their role. Most organisation use Active Directory groups to managed roles within an organisation. If you’re in the “Fire Warden” group you get access to the fire alarm system. One of the problems with role-based systems is the access control decisions are coarse-grained, you’re either a department manager or you’re not. RBAC systems are also quite static, group memberships will typically be updated once a day or, worse still, require manual intervention to add and remove members. Whenever access control depends upon a person to make an entry in a control list, inefficiencies result and errors occur.

Attribute-based systems have several advantages: decisions are externalised to dedicated infrastructure that preforms the policy evaluation. Decisions are more fine-grained: if a user is a department manager an APAM system can also check a user’s department code and so decide, for instance, whether or not to give them access to the Financial Management system. It can check whether or not they are using their registered smartphone; it can determine the time of day, in order to make decisions that reduce the risk associated with an access request. Such systems are usually managed via a set of policies that allow business units to determine, for instance, whether or not they want to allow access from a smartphone, and if they do, to elevate the authorisation level by using a two-factor mechanism. The benefits are obvious: no longer are we dependent upon someone in IT to update an Active Directory group, and more sophisticated decisions are possible. APAM systems are also real-time. As soon as HR updates a person’s position, their permissions are modified. The very next access request will be evaluated against the same policy set but the new attributes will return a different decision.

So what’s holding us back from deploying APAM systems? Firstly, there’s the “if it’s not broken don’t fix it” syndrome that encourages us to put up with less than optimal systems. Another detractor is the requirement for a mature identity management system, since access to attributes is needed. There is also a need to manage policies but often business groups are unwilling to take on the policy management task.

It’s incumbent on C-level management to grapple with these issues. They must set the strategy and implement the requisite change management. If they do, not only will they be reducing the risk profile associated with their access control system, they’ll open up new opportunities. It will be possible to more easily extend business system access to their business partners, and customers, for whom it is unsustainable to populate Active Directory groups.

APAM has much to offer, we just need is a willingness to embrace it.



Why recertification isn’t sufficient anymore – time to look at user behavior and detect anomalies

Martin Kuppinger

Imagine you have well thought-out processes for IAM (Identity and Access Management) that ensure that identities are managed correctly and all the challenges in particular of mover and leaver processes are handled well. Imagine you also have a well-working recertification approach implemented and rolled out to your organization. Are you done? Unfortunately not.

Even when you succeed in implementing the core IAM and IAG (Identity and Access Governance) processes including recertification – and not everyone does so – you still are far from the end of your journey.

Why? Because you at best will know that entitlements are assigned correctly and that you meet the “need to know” principle. Unless your joiner, mover, and leaver processes are really well-implemented, you still might be in a situation where users might have excessive entitlements for e.g. 11 months and 29 days, based on a yearly recertification. Yes, you might shorten that period, but that will not solve the problem – it might be 5 months and 29 days at maximum then, but the basic problem remains. That is a good reason for trying to fix the cause (implementing good IAM processes) instead of the symptoms (recertifying).

Furthermore, you still don’t know whether correctly assigned entitlements are abused. What if your backup operator (who must be entitled for backups) does two backups instead of one? One for the business, one to take it home or somewhere else? What if your front office worker accesses all the customer records he has access to within a short period of time, all data ending up at an USB stick? What if a privileged account is hijacked by an attacker who runs privileged actions?

Knowing that the state is correct is no longer sufficient. We need to understand whether entitlements are used correctly. There is no technology in traditional static access management, i.e. creating accounts, assigning them to groups or roles and thus entitling them, which also limits or audits the use of these entitlements. Logging and SIEM provides a little insight.

However, what we really need are more sophisticated approaches. User Activity Monitoring (from the perspective of monitoring and logging) and User Behavior Analytics (the perspective of analyzing collected data) must move to the center of our attention. We need becoming able in identifying anomalies in user behavior. We need setting up processes to deal with suspicious incidents properly – not blocking the business from what it needs to do, not violating worker’s rights, but mitigating risks.

Technology is there, from privileged threat analytics to user behavior analytics and, beyond identities, Real Time Security Intelligence. Such technology can be implemented in a compliant way, even in countries with strong emphasis on privacy and mighty worker’s councils.

When we really want to mitigate access risks, we have to go beyond traditional approaches and even beyond Access Intelligence. We must become able identifying anomalies in user behavior, not only of administrators but also business users (oh yes, there are fraud management solutions for that available as well – so we are not talking about something entirely new). Time to move to the next level of IAM. From preventing (setting correct entitlements) and detecting (recertification and Access Intelligence) to responding, based on better detection and well thought-out, planned incident handling.

What are your thoughts on #identitymanagement?

Join the discussion and share your comments
on KuppingerCole Blogs or on Twitter @KuppingerCole

Related KuppingerCole Events

Related KuppingerCole Research

Related KuppingerCole Podcasts