Technical Field
This disclosure relates generally to the field of digital resource access, and more particularly to detecting identity-centric risks within a computing machine-based governance system.
Background of the Related Art
Identity and Access Management Governance is a set of processes and policies that organizations use to manage risks and maintain compliance with regulations and policies by administering, securing, and monitoring identities and their access to applications, information, and systems. Although potentially complex in implementation, the concept of Identity and Access Management (IAM) Governance is fairly straightforward: determine who should have access to what resources and who should not, according to government regulations, industry-specific regulations (SOX, HIPPA, GLBA, etc.), and business regulations and guidelines. Typically, key aspects of IAM Governance include access request governance, entitlement certifications, reports and audits, and analytics and intelligence (including role management, entitlement management, separation of duties enforcement, and privileged identity management). An end-to-end IAM Governance solution may also provide related functions, such as access enforcement, user provisioning, password management, and user lifecycle management.
Identity and access management (IAM) systems protect enterprise data and applications with context-based access control, security policy enforcement and business-driven identity governance. These systems may be operated in a standalone manner, in association with cloud-based environments, or in hybrid environments.
Automated systems for IAM health checking detect identity-centric risks within a governance system by scanning for one or more weakness patterns, such as too many “admins” (privileged accounts) configured, account sharing, or cloning of access permissions. While detecting these and other such conditions provides useful information, known detection mechanisms are time-consuming and require large amounts of data to be read or extracted from the systems being governed. Further, identifying “admins” is not always straightforward, as such accounts are not always classified in an “admin” group.
It would be desirable to provide IAM systems with the ability to identify admin and other types of accounts in an efficient and reliable manner.