Typically organizations have a high level security policy which arises from regulations that the organizations are required to comply with. This high level security policy is translated into specific access control permissions or entitlements for users on specific systems or applications. These policies define explicit rules for authentication and authorization (i.e., access control policies), and are enforced whenever a user requests access to resources.
Access control policies are created and maintained primarily manually by security administrators. Maintaining security policies is not only a huge work load for security administrators, but an incorrect policy can increase security risks such as data leakage and compliance issues. For a large organization with thousands of employees and resources, the number of policies can grow very large, and the policies can get very complicated. Furthermore, it is extremely hard to maintain the policies up-to-date as employees are added, removed, and/or change their job responsibilities. In many cases, security administrators have little insight on if the policies are adequate for the organization's purposes or how the policies are actually used, etc. Further, at any given time, there is no guarantee that the enforced policies correctly implement the high level security policy which the organization has to comply with.
To date there are no automated tools which can monitor the usage of entitlements or permissions and continuously verify that the usage is correctly reflective of the high level security policy. While a number of tools exist to analyze static policies (e.g., with role mining tools) these do not ensure that the policy is optimized to reflect the actual usage of permissions.
Therefore, techniques for optimizing the security policy to best reflect how permissions are actually being used as well as to monitor the usage to ensure that it complies with the intended security policy would be desirable.