Organizations these days are very dynamic with their distributed workforces and applications. As these companies grow, their IT teams must perform the increasingly complex task of user access management.

Security professionals define access control policies and controls that mandate user access review on a periodic basis. The user access list is sent to application owners for review, and user IDs are disabled or deleted as necessary. The user access review control helps ensure that unauthorized users do not continue to exist in the system if the user ID is deleted during the normal offboarding process.

However, if user access reviews have not been carried out diligently or organizational changes impede access management, the user ID deletion process becomes quite complex. For instance, if a large multinational corporation has been growing through mergers and acquisitions, the integration of user access systems is complicated and cumbersome. Statutory audits in these organizations often reveal noncompliance related to user access management.

The Tedium of Manual User Access Review

Organizations set up projects to clean up unauthorized users IDs in the system, and the initiative gets driven through regulatory requirements or the company’s security policy. Due to its manual nature, this process requires a concerted effort and ample resources.

Such a project typically involves the following steps:

  1. Generate a user ID report from the relevant systems.
  2. Send reports to application and system owners for review.
  3. Set up meetings with owners and stakeholders.
  4. Disable or delete user IDs based on feedback from owners and stakeholders.

For large organizations with many systems and applications, and potentially thousands of users, the user ID cleanup process is very tedious. A machine learning algorithm can help security teams streamline this process to make decisions more efficiently.

Using Machine Learning for Faster Decision-Making

User ID cleanup projects are effort-intensive and require complex interactions between various stakeholders, increasing the cost of performing these activities. Administrators have to interact with many different stakeholders to know which user IDs have to be deleted. Often, application or system owners fail to provide input at the right time, putting the organization at risk of potential unauthorized users. This also contributes to noncompliance with regulations and security policies.

Machine learning algorithms can help security teams model user ID disabling activities. These algorithms do not solve the complex problems related to user access review, but they aid in decision-making, which is a critical need in such projects.

The process begins with the identification of user ID environments for model building. User ID information is generated in the form of raw data, which is then prepared and normalized for logistic regression. Finally, a model is developed and results are analyzed accordingly. The graphic below illustrates the steps of this process:

Figure 1: The user ID cleanup process

Preparing for Model Building

Organizations can have thousands of user IDs with heterogeneous environments, so cleanup projects may require building many models to reflect that. For instance, user IDs in development, production and test environments might each fit into different models. However, the analysis performed in the example below considered development, production and test environments in the same model. The best models have to be determined and should be based on a number of factors, such as organizational unit, geography, type of application and type of environment.

Generating Raw Data

Raw data is generated based on the agreed-upon model and is usually maintained in spreadsheets or exported through a central user ID management system. The raw data, which can include details related to users, servers and applications, will depend on the models selected during the previous stage.

For our test, raw data is generated for about 3,000 user IDs and sanitized for logistic regression. This data includes the details outlined below:

Area

Details

User

Account type (shared, privileged, third-party, etc.)

Server

Operating system

Application

Application name

System Environment

Production server, test server, development server

Scroll to view full table

Table 1: Raw data

Sampling

A random sample of 348 user IDs is taken to build the model, which is then applied to the rest of the user IDs. The sample user IDs are then discussed with application and server owners to determine whether they should be deleted. This introduces a new column labeled “ID to Be Disabled,” which serves as the dependent variable. The new column is populated based on discussions with the application and server owners.

Data Preparation and Variable Selection

The information gleaned from the application and server owners enables the security team to select the independent variable. For our test, we identified the following variables:

Area

Variable

Number of Variables

User

Shared, privilege

2 variables

Server

Operating systems

5 variables

Application

Application type

11 variables

Environment

Production, development and test

3 variables

Total Variables

21 variables

Scroll to view full table

Table 2: Variables

The variable identification activity is also effort-intensive. A high number of variables suggests that many different environments could exist, which may require more than one model for decision-making.

The variables outlined in table 2 are in text format and must be prepared for logistic regression. The textual information in the variables is then converted into binary form.

Results and Analysis

The prepared data is fed into logistic regression to obtain the following model with 21 variables:

Z = -1.611 + 23.245*Privilege + 23.298*Shared- 21.767*OS1 – 20.092*OS2 – 17.621*OS3 – 21.089*OS4 – 21.027*OS5 – 23.029*APP1 – 1.317*APP2 + 0.148*APP3 – 2.742*APP4 – 20.417*APP5 – 24.350*APP6 + 1.383*APP7 – 20.627*APP8 + 23.187*APP9 – 4.8328*APP10 + 21.445*APP11 – 0.484*Production + 0.233*Development – 3.412*Test

The probability of disabling the user ID is calculated using the following formula:

Probability of disabling user ID = exp (Z) /1+exp (Z)

The model is then applied to rest of the user IDs in the organization to determine the probability of disabling the user IDs. At this point, decision criteria are required to help the security team determine how to take action.

Accuracy of Prediction

The model has an accuracy rate of 86.2 percent at a cutoff of 40 percent, as shown in table 3 below. The model predicted 300 out of 348 user IDs accurately.

Table 3: Model accuracy

Variable Significance

Table 4 shows the significance of different variables. Of the 21 variables, only the four — APP4, APP7, APP10 and TEST — are significant to the model.

B

S.E.

Wald

df

Sig.

Exp(B)

Privilege

23.245

40190.4

0

1

1

1.2452E+10

Shared

23.298

40190.4

0

1

1

1.3126E+10

OS1

-21.767

40190.4

0

1

1

0

OS2

-20.092

40190.4

0

1

1

0

OS3

-17.621

40190.4

0

1

1

0

OS4

-21.089

40190.4

0

1

1

0

OS5

-21.027

40190.4

0

1

1

0

APP1

-23.029

3807.659

0

1

0.995

0

APP2

1.317

1.337

0.97

1

0.325

3.732

APP3

0.148

0.671

0.048

1

0.826

1.159

APP4

-2.742

1.252

4.797

1

0.029

0.064

APP5

-20.417

10197.04

0

1

0.998

0

APP6

-24.35

9738.721

0

1

0.998

0

APP7

1.383

0.677

4.174

1

0.041

3.987

APP8

-20.627

10741.68

0

1

0.998

0

APP9

23.187

10280.24

0

1

0.998

1.175E+10

APP10

-4.832

1.764

7.508

1

0.006

0.008

APP11

21.445

13359.75

0

1

0.999

2057356196

Production

-0.484

0.667

0.527

1

0.468

0.616

Development

0.233

0.892

0.068

1

0.794

1.262

Test

-3.412

1.768

3.725

1

0.054

0.033

Constant

-1.611

1.326

1.476

1

0.224

0.2

Scroll to view full table

Table 4: Variable significance

Further Analysis

A high number of variables suggests that many different environments exist for model building, meaning that more models must be developed to improve decision-making. In our test with 21 variables, we could have considered a number of different models.

The combination of the different variables and the selection of the variables must be reviewed each time new models are built. Depending on the environment, different models can suggest different independent variables that are significant, which impacts the accuracy of predicting the disabling of user IDs. Therefore, the model building activity is an iterative process.

Decision-Making

The models should help security teams make better decisions, which can help reduce user ID review efforts significantly. For the test described in this article, we can create the following criteria to enable decision-making:

  1. If the environment is not important and the accuracy of prediction is greater than 80 percent, the application owner can decide to delete the user ID and look at any exceptions if users revert back.
  2. If the environment is important, the application owner should delete the user ID only if the accuracy of the prediction is greater than 95 percent.
  3. If the environment is critical, application owners might decide to use manual methods and disregard the information provided by the models.

These three criteria help security teams determine how to take action without having to review all user IDs individually with the server and application owners.

Limitations

The user IDs mentioned in this article refer to end-user IDs. A user ID can be linked to many accounts, and deleting an ID can impact other relevant access privileges for the user. This approach has risks, so careful planning and decision-making are crucial to reduce impact. The context provided here does not apply to all situations, and if you have effectively deployed user access review and management controls, such a complex approach is not required.

User Access Review Modeling Is a Means to an End

The model developed through this process is a means to an end, not an end in itself. It must be analyzed and tested, both statistically and functionally, to determine its relevance to the environment. While variable selection is always the most critical component of this process, the model will vary from environment to environment. However, machine learning can help any organization stretch its resources and improve decision-making during the otherwise arduous user ID cleanup process.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today