Why recertification isn’t sufficient anymore – time to look at user behavior and detect anomalies

Imagine you have well thought-out processes for IAM (Identity and Access Management) that ensure that identities are managed correctly and all the challenges in particular of mover and leaver processes are handled well. Imagine you also have a well-working recertification approach implemented and rolled out to your organization. Are you done? Unfortunately not.

Even when you succeed in implementing the core IAM and IAG (Identity and Access Governance) processes including recertification – and not everyone does so – you still are far from the end of your journey.

Why? Because you at best will know that entitlements are assigned correctly and that you meet the “need to know” principle. Unless your joiner, mover, and leaver processes are really well-implemented, you still might be in a situation where users might have excessive entitlements for e.g. 11 months and 29 days, based on a yearly recertification. Yes, you might shorten that period, but that will not solve the problem – it might be 5 months and 29 days at maximum then, but the basic problem remains. That is a good reason for trying to fix the cause (implementing good IAM processes) instead of the symptoms (recertifying).

Furthermore, you still don’t know whether correctly assigned entitlements are abused. What if your backup operator (who must be entitled for backups) does two backups instead of one? One for the business, one to take it home or somewhere else? What if your front office worker accesses all the customer records he has access to within a short period of time, all data ending up at an USB stick? What if a privileged account is hijacked by an attacker who runs privileged actions?

Knowing that the state is correct is no longer sufficient. We need to understand whether entitlements are used correctly. There is no technology in traditional static access management, i.e. creating accounts, assigning them to groups or roles and thus entitling them, which also limits or audits the use of these entitlements. Logging and SIEM provides a little insight.

However, what we really need are more sophisticated approaches. User Activity Monitoring (from the perspective of monitoring and logging) and User Behavior Analytics (the perspective of analyzing collected data) must move to the center of our attention. We need becoming able in identifying anomalies in user behavior. We need setting up processes to deal with suspicious incidents properly – not blocking the business from what it needs to do, not violating worker’s rights, but mitigating risks.

Technology is there, from privileged threat analytics to user behavior analytics and, beyond identities, Real Time Security Intelligence. Such technology can be implemented in a compliant way, even in countries with strong emphasis on privacy and mighty worker’s councils.

When we really want to mitigate access risks, we have to go beyond traditional approaches and even beyond Access Intelligence. We must become able identifying anomalies in user behavior, not only of administrators but also business users (oh yes, there are fraud management solutions for that available as well – so we are not talking about something entirely new). Time to move to the next level of IAM. From preventing (setting correct entitlements) and detecting (recertification and Access Intelligence) to responding, based on better detection and well thought-out, planned incident handling.

This article has originally appeared in KuppingerCole Analysts' View newsletter.



KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00