With the increase of insider threats, unauthorized access and mounting regulatory pressures, many security professionals are turning their focus to identity governance and intelligence. To learn more about this topic, we turned to one of IBM’s identity and access management specialists, Andy Taylor.
Get the Scoop from Security Expert Andy Taylor
Taylor has more than 14 years of identity and access management experience, with a particular focus on access governance and privileged account management processes. Over the years, he has performed a variety of consulting roles with specialist IAM boutique firms as well as with the Big Four consulting groups.
Having consulted for, been a solution architect for and lead some of the largest client programs, Taylor is currently a senior managing consultant and governance expert for IBM Security.
Question: What are organizations that are investing in identity governance today hoping to achieve?
Taylor: Identity governance initially sought to simplify and automate processes for IT and audit’s benefit. It was about implementing a basic and often rudimentary access request portal or paper-based recertification process to address an audit point, for example.
Processes are now becoming highly complex, state-of-the-art in their design, required to be very tightly governed and, importantly, cost effective. This is due to today’s compliance, regulatory-driven and often mandated requirements.
There is new emphasis on demonstrable control, being able to evidence it in a sustainable manner, while addressing the needs of the ever-changing business landscape. These needs are generally supported by a plethora of vendor companies who provide out-of-the-box, relatively ready-to-run processes for whatever process or control you are seeking to address in any given market.
Do these goals change depending on the maturity of the organization?
Some smaller organizations are still taking initial steps toward setting the right foundations or are now starting to mature their governance program from previous initiatives. Their efforts are often born from migrating from paper- and email-based process or in-house legacy tool sets that are generally time consuming, costly to manage or provide insufficient evidence for audit purposes.
On the other end of the spectrum, there are global, industry-leading companies who are taking innovative approaches to performing certifications, detecting or actually wanting to prevent segregation of duties breaches on vast user populations or data sets in an almost real-time manner.
Why are access governance solution deployments getting increasingly more complex?
Organizations today are seeking to integrate a far wider set of capabilities within their IAM portfolio compared to yesteryear, such as analytical, contextual and behavioral processes. But these on their own still require foundational activities to be complete and to add any significant value.
These organizations are looking to extend the boundaries of traditional vendor IAM technologies, which generally require a lot of time and resource investment to set up. We are seeing requirements now for tool sets to be integrated with external data sources that already have robust custodian processes that are dynamically referenced by the IAM product workflow or process, thus allowing the owner or custodian to manage the content in their own applications or data source, rather than loading data into and training users on the new IAM tool set.
This data could be lists of different identities, such as licensed traders, or users technically or professionally qualified to use a specific application or service. This content could also be more diverse or very specific, such as lists of cost centers or departments permitted to use an application if contained within a SAP system, for example.
Where does this new complexity come from?
As an organization’s application estate grows ever wider to cover increasingly complex business processes and functions, the IAM tool set needs to be able to handle increasing user cases, processes and reporting requirements to demonstrate control.
Also, the traditional boundaries of access governance processes — employees, contractors or temporary workers — are now expanding to include users such as suppliers, business partners and other third parties, all of which can be found in disparate locations across the business or federated source.
But each of these user repositories still requires an organization to ensure the foundations are set in place, and that the data is clean, has integrity and has defined use cases for downstream processing. But above all, they require an owner who understands both the business and identity access governance uses.
Here’s an example of what can happen if these criteria aren’t met: The HR function changes a department name, say “product marketing” to “portfolio marketing.” The old name was used in a role-based access control (RBAC) model and now has disappeared. So the system revokes swathes of user access that had been based upon the department name!
What’s the most in-demand governance feature clients are asking you about at the moment?
Perhaps the governance process receiving the most focus at present is segregation of duties (SOD). An increasing number of companies are now seeing the value of how SOD augments and forms part of robust access request and certification processes.
The traditional examples of segregation of duties are found in the requirement to separate users who have the ability to raise an invoice from those who release payment on an invoice, or segregating front and middle office trading functions.
Without segregating these duties, you leave the door open to abuses, theft or breaches due to the inappropriate actions of insiders. This is becoming more and more relevant: The IBM Cyber Security Intelligence Index found that in 2015, 60 percent of attacks were carried out by insiders. This insider threat is now leading clients to take an organizationwide view for all business processes, covering hundreds or thousands of applications in the estate, rather than the historical single application-centric approach to address specific issues.
The granularity of control you can achieve with SOD is allowing clients to achieve a far tighter degree of control, which is especially important for organizations required to comply with financial regulations. Product tool sets are able to assist with the detective aspect of a SOD rule, some even at the preventative stage during an access request.
A growing trend is to attempt to prevent a breach in the first instance — after all, why let something happen, assuming a detective control will pick it up? Generally, the SOD rule is applied at its lowest level: the entitlement level. But for organizations with hundreds of thousands, if not millions, of entitlements, it’s possible to also do this at the role level. In that case, you must detect and manage entitlement conflicts inside roles, or else you’ll expose a huge gap!
It is possible to be innovative in this space. Rather than try to onboard hundreds of rules in the tool set, you can use a handful of rules to manage very large application and entitlement numbers that perform the traditional financial segregation, process separation and data segregation checks.
Some clients are using the IAM tool set to reference external data where permitted users are defined, managed and referenced by the SOD workflow. In every case, a well-thought-out strategy of checking at all levels will lead to better results and more control.
What about governance is in need of the most change? What’s currently not working?
Certification is where the biggest mind-shift changes are required. Historically, this process was about reviewing all users on all applications every 90 days or so via the presentation of entitlement data in its rawest form, the entitlement in IT terminology. We’d like to say those days are long gone, but this is still one of the most common approaches. In a busy workplace, spare a thought for the amount of time — and cost — reviewers are required to allocate to this task, making it more difficult to perform their own daily jobs.
There must be a smarter way to perform certifications?
There are some points to consider to improve certifications. The first is simply defining a risk-based framework to be used for recertification that can limit the scale of the effort but still address compliance concerns.
Yes, you can still review all users over time, but consider this approach to review only those applications that need to be reviewed in alignment with this rating, or better still, those users who may have sensitive or privileged access, perhaps the payments clerk, the user administrator or the trader in the front office with high trading limits. These types of roles warrant closer attention at a frequency aligned to the assets’ risk rating. This does not necessarily apply to the user who has read-only access to the corporate intranet site.
Another consideration is to include additional metadata in the recertification to assist the reviewer in narrowing down which entitlements to review. For example, last logon information allows the reviewer to clearly see the access hasn’t been used in a long period and base the decision upon that rather than each entitlement under review. Or you could leverage this information to define a policy rule in the tool set to manage inactive users. This keeps the application estate clean so inactive user accounts rarely appear in the certification. An RBAC recertification approach where you align the review to a role owner to review entitlements and membership can also help greatly, but it is worth noting that what effort you reduce on the line manager is now picked up by role owners.
So unless organizations look to change their approach, the poor old line manager performing the review, trying to understand unclear entitlement descriptions, may continue the historical rubber stamped “retain all access” decision-based approach, which adds no value at all and doesn’t control your identities or protect your data.
So, where does that leave the business user who is just trying to get access to the tools they need to do the job?
Robust ownership and process oversight in both the IAM delivery program and the business-as-usual operational structure must address user concerns during the program. This includes being clear on communications for the business objectives, outcomes and timelines, and the planning of extensive end user education and awareness campaigns.
If you involve end users in the program, particularly during testing phases, this should create an ecosystem suitable to deliver the best user experience — one that offers flexibility for the demands of the business and, even more importantly, demonstrates control.