The present invention relates generally to the field of digital resource access, and more particularly to risk-based computer recertification of online access.
Today's world has a heavy dependence upon system-based applications and data. Productivity and efficiency improvements increasingly rely on computer technology to enable a user access to applications, data, and communications to perform tasks. This dependence extends across business, educational and personal environments, and presents an on-going issue of reducing risks of malicious activity by controlling access.
Businesses experience concerns of trade secrets being exposed, loss of intellectual property, data tampering and negative public exposure. Educational institutions similarly share concern over loss of intellectual property, data tampering, and may include additional risk concerns over undesired exposure of contribution donors and financial gift receipts. Online application users can be exposed to identity theft, public exposure of personal detail and system compromise.
Concerns exist for attacks on information technology assets from the “outside”, implying security breeches from hackers or malicious software that is intended to penetrate system defenses and perform harmful tasks to violated systems. Hardware and software advances continue to serve a market that addresses and protects against such invasions. However, concerns continue to grow regarding attacks from “within” or from “insiders”, which are often willingly given access to systems and applications to enable individuals to perform certain tasks, without regard to what additional unintended access to resources may be included.
For many applications, networks, databases and other resources, users are given “access” by an authority or administrative role to enable activity associated with the resource. The conditions and limitations of the access for a given user are referred to as the “access entitlement” of the user, and include defined limitations as to the activities the user may perform with or on the resource. Access entitlements among users of the same resource can vary. For instance, a database administrator may have access and authority to read, write, edit, search, copy, delete and transfer data for a specific database, whereas others with access to the database may be limited to searching and reading data.
Identity management (IdM) is an administrative area that utilizes a system to identify individuals with membership or association, such as with a group, organization, company, etc. Additionally, an IdM system controls the individual's access to resources by use of restrictions or permissions. To facilitate better decisions for granting appropriate access, information regarding a user's request for access, their job role, and whether the access is a new request or renewal is considered, however, this limited information can prove ineffective in preventing high risk situations.
Control and oversight of resource access approval of individuals in business or enterprise organizations are further challenged by the turnover of personnel, the dynamic day-to-day changes and organizational restructuring, as well as application version upgrades.
In large organizations, granting users the appropriate access entitlements to resources and maintaining access entitlements is a difficult task that can involve thousands of users and hundreds of resources. Resource access decisions and compliance verification responsibilities are typically allocated to supervisors or managers, who have few tools to facilitate decisions or identify risks and due to time constraints, often provide access in the belief that the individuals' performance will improve or not be impacted.