The Basic Pillars of Identity & Access Management
- Compliance By Design
- Compliance By Control
- Compliance By Review
SIEM, Activities and Who Has Accessed What?
One of the recent expansions of the access review process has been to marry together security information and event monitoring (SIEM) data with the identity and access management extracts. Being able to see what an individual has actually done with their access, can help to determine whether they actually still need certain permissions. For example, if a line manager is presented with a team member's directory access which contains 20 groups, it could be very difficult to decide which of those 20 groups are actually required for that individual to fulfill their job. If, on the other hand, you can quickly see that out of the 20 groups, twelve were not used within the last 12 months, that is a good indicator that they are no longer required on a day to day basis and should be removed.
There is clearly a big difference between what the user can access and what they actually have accessed. Getting this view, requires quite low level activity logging within a system, as well as the ability to collect, correlate, store and ultimately analyse that data. SIEM systems do this well, with many now linking to profiling and identity warehouse technologies to help create this meta-warehouse. This is another movement to the generally accepted view of 'big data'. Whilst this central warehouse is now very possible, the end result, is still only really trying to speed up the process of finding failures further up the identity food chain.
Movement to Identity 'Intelligence'
I've talked about the concept of 'identity intelligence' a few times in the past. There is a lot of talk about moving from big data to big intelligence and security analytics is jumping on this band wagon too. But in reality, intelligence in this sense is really just helping to identify the failings faster. This isn't a bad thing, but ultimately it's not particularly sustainable or actual going to push the architecture forward to help 'cure' the identified failures. It's still quite reactive. A more proactive approach is to apply 'intelligence' at every component of the identity food chain to help make identity management more agile, responsive and aligned to business requirements. I'm not advocating what those steps should be, but it will encompass an approach and mindset more than just a set of tools and rest heavily on a graph based view of identity.
By analyzing the 'who has accessed' part of the identity food chain, we can gain yet more insight in to who and what should be created and approved, within the directories and databases that under pin internal and web based user stores. Ultimately this may make the access review component redundant once and for all.
By Simon Moffatt