The user identity and associated system accounts is a key area of information security control that many compliance initiatives, such as ISO 27001 clause 11 or SoX 404 focus on. With the rise of insider threat, a complete and effective user life cycle management process is key.
Provisioning normally includes the following basic use cases:
- CRUD (create, read, update, delete) actions for multiple system accounts centrally
- Policy based associations and approvals
- Role Based Access Control for entitlement association
- Certification, audit and reporting for previous access control associations
- Integration with an authoritative source of user identities
As provisioning has matured and become a standard requirement for many large organisations, so too have the products, vendors and services offerings that help to implement this sort of landscape. With this maturity comes the need to derive much more business reporting to help drive RoI and TCO decisions as well as help to understand the effectiveness of identity controls and processes.
Where does this business information or 'intelligence' come from? Most provisioning solutions will have touch points with many different platforms, components and services. Feeds from authoritative sources, connectors to target systems, workflow queue information, historical reporting information, failed requests, policy breaches and so on. Normally this information will be stored in a RDBMS or a database with pointers to where that information resides.
The intelligence layer should attempt to transform the raw component infrastructure to something that resembles useful business information such as:
- Which departments are seeing the highest access request changes?
- Which roles are the most over or under used?
- Which Separation of Duties policies are continually being breached? Is this a user access issue or a policy definition issue?
- Can we identify high risk users, access or transactions?
- What reduction in help desk calls was attributable to self-service password resets?
- Which users have seen the most access changes in the last 12 months?
This is all pertinent business information that helps not only to show value from a complex middle-ware infrastructure, but also helps to drive where security effort and in turn underlying risk is located.
Identity provisioning projects tend to be long complex affairs requiring deep business and technical under standing. Whilst adding an intelligence layer may seem like added complexity, the reward in the form of increased business and risk understanding should be effort well spent.