Another analysis can infer or suggest other attributes or relationships between objects. For instance, if 75 percent of the finance team has access to application Y, it's likely that application Y is a high-impact application.
The risk rating for Bob's access may be inferred to be low if it's consistent with other peers in finance. Conversely, the risk rating may be high if Bob's access is an outlier, inconsistent with his peers (that is, he's not in finance).
This type of complex analysis results in multidimensional data structures that can help you begin to answer questions that start with "What is...," "What should be...," and "What if..." and provides an opportunity to look at information through different perspectives, such as by business unit, by date, or by business risk.
A simple question can be answered: "What access has been granted to this employee?"
Person > Account > Access
Now we can answer such questions as: "If I provide this employee with access to that resource, what is the likely effect and does it reveal any issues?" or "Have I authorized anything that was not intended?"
Person > Account > Access > Permissions > Resource
When we add activity to the process, we can uncover behavior trends, or analyze and summarize what a user or a set of users actually does with access that they have been granted to a resource:
Person > Account > Access > Permissions > Resource > Activity
This can be used to create a baseline of normal or expected behavior for similar users, or can be used to compare a user's behavior over different time periods.
- Activity by day of week: We expect to see low activity on the weekends
- Activity by hour: We expect to see low activity outside normal 8-to-6 work hours
- Activity by department: We expect to see certain sets of applications used in each department
You start to see how adding data allows for more analysis to be done, giving better visibility, generating new information, and allowing you to answer more interesting questions. (For example: Is it normal for Bob to be downloading the entire customer list to his home laptop at 3 a.m. on a Sunday before he leaves for a hastily scheduled three-week vacation?)
Adding geographic and location based data provides an idea of "where." This can be used, for instance, to uncover and flag access by the same user in two different locations at the same time or to identify locations inconsistent with the expected geographies for the user.
Customizing IAI to reveal business risk
Already we can see that by aggregating disparate data types and looking at the context or relationship between those elements, we are revealing new information. Next let's look at how we can highlight information and uncover knowledge rather than just showing data in a static report.
Let's try illustrating the difference between conveying data and conveying information.
Take an example that is familiar: orphaned or inactive accounts. Suppose you have a static report showing 30 orphans. What does 30 represent? Is this "good" or "bad"?
Visualization takes the data ("30") and couches it in the context of the bigger picture to answer those questions. For example, maybe it's the 30 highest-risk orphans out of the 100 total orphans found. Not all orphans are equal -- one that's powerful and can approve $100,000 expenditures is a higher risk; one that's associated with a terminated worker is higher risk; one with access to confidential data or IP is higher risk; one that's been used is higher risk. You get the idea.
The analysis phase highlighted 30 high-risk orphan accounts out of 100 total orphans identified across 5,000 accounts. We have an overall orphan ratio of 2 percent, but only a 0.6 percent ratio for the high-risk orphan accounts.