Act wisely
Now that you have information providing insight, and not just data, and we agree that context has value, it's really what you do with the knowledge gained that matters. You'll want to act on certain things uncovered by analysis and visualization.
As it relates to IAM, access risk and policy violations are most commonly identified. Actions for remediation can take a variety of forms:
- Ignore (a one-time false positive)
- Always ignore (always considered a false positive)
- Accept (not a false positive, but I'll approve this exception)
- Request review and attestation
- Request removal (undo)
- Request policy modification (the policy is wrong or doesn't represent the business)
- Reassign (it's not mine)
- Escalate and research (I need help)
As we have moved from collecting the data to analyzing and visualizing and now acting, the overall objective should be to identify and eliminate compliance issues as they occur and to predict and prevent the problems that lead to risk. But how can we improve productivity?
Operationalize
Remediation as a manual process doesn't scale well, especially if a trained member of the security team needs to look at and act upon all of the information identified. Remember our statement that nobody can look at all of this, nor would they want to. Instead, you'll want to automate and operationalize IAM tasks where possible.
Continuously monitor for the most interesting things, then automate the remediation steps. The definition of "interesting things" varies, but can include anomalies and outliers, segregation of duty violations, new assignment of privileged access, usage of an account associated with a terminated worker. Minimize noise, focus on the important things, refine, tune, and improve. Now, the phrase "continuously monitor" sounds simple, but it encompasses everything we've talked about thus far:
Collect > Analyze > Visualize > Act
Let's go back to our example of Bob who has access to approve budget items over $100,000. SoD (segregation of duty) policies may dictate that individuals with budget approval rights should not have budget requesting rights. Review and sign-off is required when this combination of access is detected for an individual. By continuously monitoring this policy, violations are flagged as soon as the combination of rights is assigned to Bob. It doesn't matter whether the assignment is done through an IAM system, native tools, or some other channel -- monitoring picks up the change, checks the policy, and takes action on violations. In this case an action might be to notify stakeholders and initiate the process of having Bob's manager review and then accept or reject the violation of SoD policy.
In most businesses, usage of an account associated with a terminated worker would raise eyebrows. The account is disabled during the off-boarding (termination) process, but what happens if it's reactivated and used? (We'll assume that the worker is still not associated with the business.) "Monitor and act" might entail:
- Knowing that the worker has separated from the company
- Knowing that the account has been activated (and by whom?)
- Knowing that the account has been used
- Detecting all of the above
- Taking action, which may entail:
- Determining who to notify
- Requiring the account to be attested to (reviewed)
- Disabling the account
From data to information
To paint the full picture for IAM, we collect data from a broad variety of systems, pulling together identity, access, activity, and resources. That data alone can grow quite large for an organization. Data is then only turned into information or knowledge through analysis, which helps us to visualize, confirm compliance with policy, and act as needed. With the addition of historical information, we pick up the ability to visualize trends and employ forward-looking forensics.
While market conditions, the pace of technology use, and change all contribute to a big identity data challenge, IAI is rapidly evolving, so CISOs can actually boil the ocean down to a manageable level. With the right tools they can automate routine IAM tasks, quickly identify and eliminate compliance issues, and predict, prevent, and address problems that lead to risk.
This gives us the ability, to paraphrase Albert Einstein, to not only solve problems, but to prevent them.
New Tech Forum provides a means to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all enquiries to newtechforum@infoworld.com.
This article, "How to benefit from the identity data explosion," was originally published at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.