IGA Capability: Auditing
Recording audit trail. Recording identity-related operations and events. Recording business-level information in a structured data format.
Basic audit trail access. User interface to access audit trail records, using simple queries and filtering.
Complex audit reporting. Advanced reporting, based on interpretation of audit records in context, correlating and computing values. Reports providing "time machine" functionality, computing values as they were in the past. Forensic reports and analytics.
Audit integration. Moving data to external systems, such as security information and event management (SIEM) systems, data warehouses, etc. Providing functions to export, pump or access audit record data by external systems. Documentation of data structures and formats.
Metadata maintenance. Setting and maintaining auditing-related metadata, such as dates of object creation and modification. Maintaining summarized and automatically-computed data.
Auditing capability is responsible for recording identity-related operations and events. The operations are recorded on business level, containing business-relevant information in the records. Audit data may be used for variety of reports. At least a basic reporting engine capable of searching and displaying audit records is usually included.
The very core of auditing capability is systematic recording of operations and events in the IGA platform. Unlike logging which is mostly record unstructured data for diagnostic purposes, auditing is recording structured, business-relevant data. Every change to every managed identity is usually recorded in audit trail. Audit record almost always contains identifiers of changed objects, description of the change (usually structured), outcome of the operation (success/failure) and other data describing the operation of event. Also, information about the actors is recorded, for example identifier of the user initiating the operation. Critical aspect of audit trail is its structure, allowing precise searching and filtering of the records.
Some IGA platforms limit auditing only for changes of managed identities. However, most IGA platforms contain comprehensive auditing capability, adding policy and configuration changes to the record. Audit records are likely to be relatively complex, especially when detailed business information is included (such as progress of approval processes).
Primary responsibility of an IGA platform is to record audit trail. Strictly speaking, responsibility to interpret audit data should lie with other systems, such as security information and event management (SIEM) systems, enterprise data warehouses and data analytic systems. However, such systems are usually not able to fully understand identity-related concepts and relatively complex structure of identity data. Therefore most IGA platforms contain at least some form of user interface for visualization of audit data.
The most rudimentary forms of audit trail user interface allows only basic search and filtering capabilities over the audit trail data. Such user interface is provided by almost every IGA platform. Advanced user interfaces may provide ability for customizable reports or dashboards. IGA platforms often provide "time machine", an ability to display state of the identity as it was at certain point in the past. Some IGA platforms provide specialized tools for forensic investigation and analysis of audit trail data.
As almost every operation is recorded in audit trail, and the records are usually kept for relatively long time period, the amount of audit trail data is likely to be massive. Storing and querying such data is a challenge of its own. The usual practice of "pumping" the data to data warehouse or a similar system for archival does not have a desired effect. Complexity of identity data means that general-purpose data-processing systems are not able to process the data. Therefore the IGA platform remains the only system that can be used to analyze the data, hence the data has to remain accessible to IGA platform for a long-term. IGA platform has to use efficient, often database-specific methods to store and manage the data (e.g. database partitioning).
While IGA platforms are both the producers and primary consumers of audit trail data, some parts of the data are interesting to others systems. Systems such as security information and event management (SIEM) can take advantage of partial understanding of the identity management audit trail. Similarly, data warehouses and other enterprise data analytic systems may be interested in some parts of identity data, such as information on created/deleted users. Therefore, ability to expose audit trail data to other systems is an important functionality of auditing capability. Sadly, there is no practical standard for audit data integration. Existing standardization efforts are dysfunctional (such as XDAS) and/or incapable of handling the complexity of identity governance data. Therefore, non-standard integration paths remain the only practical option, often relying on direct access to audit records in relational database tables.
While the time-wise organized audit trail records are usually the primary and most authoritative auditing data that an IGA platform records, there are usually also secondary data - or rather metadata. Primary audit records contain comprehensive information. However, being strictly organized by time of the event, it is very difficult to work with such data. Therefore, interesting parts of auditing data are also recorded in a secondary form, usually as metadata. For example, object metadata usually describe the time when an object was created, who has created it, when it was modified for the last time, who initiated the modification, when was a role assigned to a user, who has approved the assignment and so on. Similarly, auditing capability may store summarized data, such as number of created users during a specific time interval. The metadata and summarized data are often used by identity analytics and reporting capability.
Auditing is critical IGA functionality with respect to accountability. We live in complicated world, interacting within complex and ever-changing organizations, knowing who has done what and when is often critical to keep our world going around. Auditing provides such capability for IGA systems. However, as the world around us is complex, the same complexity is reflected to audit data records as well. While auditing may seem like a straightforward capability, it is everything but. It has to be carefully planned and designed, especially considering the storage or long-term data.
Some analysts include synchronization and reconciliation functionality into auditing capability. While this may make sense from some specific point of view, recording an audit trail and synchronization are two vastly different functionalities, serving different purposes. Therefore we have chosen to maintain them as separate capabilities.
While significant part of metadata are maintained by auditing capability, some metadata are maintained by other capabilities. For example, provenance metadata are usually set by synchronization capabilities, or attribute mapping mechanisms.