Risk-Based Approach To Identity Governance

First step is to understand the risk. Identity governance systems have to analyze the risk, identify high-risk spots, provide data for informed decision-making.

Identity governance systems have a huge advantage over most other systems in cybersecurity field. The data that identity governance systems use are structured. Good identity governance system does not only store the data, it understands them. It knows what is a meaning of user account, what role and entitlement mean, what privileges are granted by them. Such structured information is an ideal foundation for risk modeling.

Identity governance system can be used to assign elemental risk levels to individual entitlements, such as Active Directory groups or application privileges. This elemental information can be processed by a risk model, computing risks for individual users, organizational units, projects and overall risk for the organization. This process can be automated, providing almost-real-time information for cybersecurity professionals.

Risk model can be expanded to consider common cybersecurity risks, such as orphaned or unused accounts. Risk of roles can be automatically computed based on their composition and other parameters, highlighting sensitive roles that require special attention. The model can identify security hot-spots, such as over-privileged users, or a dangerous accumulation or risk in a single organizational unit. The model can be used to manage residual risk, making sure residual risk is acceptable, that there are no users with dangerous combinations of privileges. Moreover, the system is dynamic, always following up-to-date data. It can be proactive, it can generate real-time notifications when risk grows above acceptable levels. The model can provide insights at such fidelity and speed that no human analyst could ever match.

This approach is poles apart from the futile paper-based risk modeling of 20th century. As identity governance data are directly bound to the underlying information systems, the risk information is always reliable, based on real data rather than guesswork.

Second step is an ability to efficient act, based on reliable data about risks.

When it comes to identity management, system administrators and security professionals are fighting an uphill battle. The environment is changing faster than they can act. New users are being enrolled and retired, privilege assignment is changing every day, there are re-organizations, policy changes, applications are deployed and decommissioned all the time. Security professionals are not able to pay attention to every change around them. There are tens of thousands of users and roles spread across hundreds of applications, creating almost unimaginable number of user-role-application combinations that need to be managed. It is not physically possible to approve every role request, to review every role assignment after every small organizational change, to analyze fine-grained privileges of every minor application. Security professionals need to prioritize, pay close attention to important stuff, delegating the less important tasks. However, there comes the crucial question: How do we know what is important? Every security professional knows the answer: risk. Users, roles and applications that pose the highest risk need much more attention than a minor auxiliary applications that pose only marginal risk.

Fortunately, we have our automated risk model. Now we know where the risks are. We can prioritize. We can find users that pose the highest risk for our organization, and we can re-certify their access rights using special micro-certifications. This approach focuses all the attention to few powerful users, as opposed to traditional re-certification campaigns where the risky users are desperately lost among thousands of other users. Focused re-certifications increase the probability that privileges will be removed, mitigating a security hot-spot. As focused micro-certifications require only a fraction of an effort of a full certification campaign, micro-certifications can be triggered more frequently. The same approach can be applied to review of risky roles, reviewing them much more often than low-risk roles. Similarly, requests and approval of new roles assignments may be governed by risk information as well. The obvious option is to apply special approval schemes for sensitive, high-risk roles. However, a combination of many common roles can also cause a dangerous accumulation of access rights. Therefore, it would be a good idea to apply special approval schemes for users that have reached high risk score by accumulating many low-risk privileges, avoiding creation of security hot-spots in the first place. There are many more options when a risk score is processed as a native part of identity governance: identifying risky applications (e.g. application with lot of administrators), automatic deactivation of orphaned privileged accounts, motivating or enforcing on-demand and time-limited assignment of privileged roles and so on.

It is perhaps no big surprise for security professionals that risk information permeates all the usual identity governance processes. For example, role mining can provide a helpful assistance even without risk information. Role mining identifies clusters of similar access rights, suggesting creation of new roles. However, it is often difficult to focus role mining activities on the right combination of privileges. Role mining algorithms do not understand what the privileges mean, they only focus on how similar they are to each other. This can be disorienting, misguiding the people to focus a lot of attention at unimportant roles, missing the important ones. Yet, when supplemented by risk data, role mining can become an indispensable tool in cybersecurity toolbox. Risk information can focus role mining activities at important, high-risk combination of privileges. When a high-risk privilege combination is formalized as a role it is much easier to maintain and review, making overall risk more manageable.

Similar benefit can be seen in outlier detection mechanisms. Outlier is a user that has different access rights than other users in the same category. Outlier detection algorithms are approximate, working with fuzzy concepts. Also, it is quite normal that the access rights in your organization are not entirely unified. Many users will accumulate many unique privileges during their long careers in your organization, effectively making them outliers. Therefore, it is very likely that there will be huge number of outliers, especially at the early stage when identity governance processes are rolled out. Once again, risk management can provide an essential assistance at that point. Outliers with high risk scores can be prioritized,

Risk model can uncover areas of concentrated risk that are far from obvious. It is quite natural that high-risk roles are subject to special approval and review schemes, to make sure that there are only few users that have high-risk roles. However, a medium-risk role given to large number of users also creates a high-risk situation, greatly increasing potential attack surface. It is usually not feasible to apply special approval and review schemes to all medium-risk roles. Especially frequent re-certification campaigns for popular medium-risk roles require huge amount of effort, often resulting in pointless rubber-stamping exercise. Risk model can easily identify such roles. However, as re-certification is not an efficient solution to reduce risk posed by such roles, quite a different mechanism must be employed. The ideal solution would be to assign and unassign such roles automatically, effectively eliminating the need for huge re-certification campaigns. However, such automation assumes existence of policy: a rule that can be used to manage role membership automatically. In simple cases, the rule for automatic role assignment is likely to be quite obvious. Security professionals might be able to determine the rule by manually analyzing role content, purpose and members. However, in complex cases the rule may not obvious, or there may be large number of such roles, making manual analysis infeasible. In such a case, policy mining can be used to suggest rule for automatic rules for role assignment and unassignment. Policy mining is similar to role mining, it is a pattern recognition mechanism. However, it analyzes existing members of a role, looking for similarities, such as common organizational unit, work responsibilities, location and so on. Once a common pattern is identified, rule for automatic role management can be established, based on common attributes.

We are taping into "collective knowledge" of organizational processes and policies. There is no single person that knows all the policies of your organization. There is not a even a single department, division or team that knows it. The policy is divided in thousands of pieces, distributed among many people through the organization. The policy is not explicitly specified, it is not formalized, it is not written down in sufficient details for automation. It cannot be used directly. Fortunately, the practical aspects of the policy are already implemented in your organization. Roles are created according to the implicit policies, decided by people that created the roles. Roles are assigned to users according to policy, guided by decisions of many individual approvers. The policy is there, hidden in a huge pile of accounts, privileges, roles, organizational units and attributes. We are using mining mechanisms to distill the policy, to find policy facets hidden in the data. Mining mechanisms can uncover the hidden patterns and rules, suggesting pieces of organizational polices to formalize and automate. Risk modeling is applied on top of mining algorithms, to focus attention and prioritize the effort.

Risk-based prioritization makes you start your cybersecurity program quickly, focusing attention to the worst problems. Focus on high-risk areas reduces risk at points with the highest potential gain, rapidly lowering overall organizational risk.

Third step is to govern, making sure everything runs smoothly, ensuring continuous improvement.

Security is not a sprint, it is a never-ending marathon. It is not enough to mine the roles, set up policies and model risk. The tasks have to be repeated over and over again. Roles must be maintained, assignments must be reviewed, data must be corrected, policies updated and improved. The cycle never ends.

Moreover, it is not enough to do the same things over and over again. Bruce Schneier once said: "Attacks always get better, they never get worse". The world is evolving, and the cybersecurity processes, programs and practices must evolve too.

"What is measured, improves" is a classic management adage. Reliable, measurable insights are key to any governance, cybersecurity and identity are no exceptions. However, there are not many meaningful metrics in cybersecurity and identity fields. Monitoring number of users or number of roles is easy, yet it does not provide very meaningful information. Even risk is a tricky metric to grasp. What does "medium risk" mean, exactly? How much risk is acceptable? How much risk is too much? What units do we use for measuring risk, anyway?

Risk is not an absolute objective value. It cannot be measured exactly, and it is extremely hard to compare across organizations. It does not mean much if we know that our overall risk is 42.56 or that our risk level is "low". However, risk is still a very useful metric when used in a relative way, put into proper context. We have seen how risk levels can be used to identify parts of the systems that are at higher risk than others. This is extremely useful for identifying hot-spots, places to focus our security improvements at. Yet, from a governance point of view, risk plays yet another crucial role. Even though individual risk values are not very useful, observing change of risk value over time provides essential insights. We know that we are doing good cybersecurity job if overall risk value steadily decreases. Our processes need major improvement if risk value consistently rises over long period of time. It is a critical warning sign if risk value suddenly surges. We can learn a lot about our cybersecurity efforts by watching the trends of overall risk value. Risk trends are essential metric of cybersecurity governance.

However, if we want to watch risk value trends, we need reliable, up-to-date and frequent information on organizational risks. This is not practically feasible without automation. However, risk-based approach to identity governance can provide crucial part of the risk evaluation, and it can provide it reliably (based on real data) and quickly (in almost-real-time). It is very hard to imagine proper cybersecurity governance in 21st century without the support of identity governance systems.