Acts of fraud, data tampering, privacy breaches, theft of intellectual property, and exposure of trade secrets have become front page news in today's business world. The security access risk posed by insiders—persons who are granted access to information assets—is growing in magnitude, with the power to damage brand reputation, lower profits, and erode market capitalization.
Identity Management (IM), also known as Identity and Access Management (IAM) or Identity Governance (IG), is, the field of computer security concerned with the enablement and enforcement of policies and measures which allow and ensure that the right individuals access the right resources at the right times and for the right reasons. It addresses the need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements. Escalating security and privacy concerns are driving governance, access risk management, and compliance to the forefront of identity management. To effectively meet the requirements and desires imposed upon enterprises for identity management, these enterprises may be required to prove that they have strong and consistent controls over who has access to critical applications and data. And, in response to regulatory requirements and the growing security access risk, most enterprises have implemented some form of user access or identity governance.
Yet many companies still struggle with how to focus compliance efforts to address actual risk in what usually is a complex, distributed networked computing environment. Decisions about which access entitlements are desirable to grant a particular user are typically based on the roles that the user plays within the organization. In large organizations, granting and maintaining user access entitlements is a difficult and complex process, involving decisions regarding whether to grant entitlements to thousands of users and hundreds of different applications and databases. This complexity can be exacerbated by high employee turnover, reorganizations, and reconfigurations of the various accessible systems and resources.
Organizations that are unable to focus their identity compliance efforts on areas of greatest access risk can waste time, labor, and other resources applying compliance monitoring and controls across the board to all users and all applications. Furthermore, with no means to establish a baseline measurement of identity compliance, organizations have no way to quantify improvements over time and demonstrate that their identity controls are working and effectively reducing access risk.
Information Technology (IT) personnel of large organizations often feel that their greatest security risks stemmed from “insider threats,” as opposed to external attacks. The access risks posed by insiders range from careless negligence to more serious cases of financial fraud, corporate espionage, or malicious sabotage of systems and data. Organizations that fail to proactively manage user access can face regulatory fines, litigation penalties, public relations fees, loss of customer trust, and ultimately lost revenue and lower stock valuation. To minimize the security risk posed by insiders (and outsiders), business entities and institutions alike often establish access or other governance policies that eliminate or at least reduce such access risks and implement proactive oversight and management of user access entitlements to ensure compliance with defined policies and other good practices.
However, even such proactive oversight may do little to ease the burden of compliance with regulatory requirements or the assessment of access requests for users in the enterprise environment. As but one example, enterprises are often required by regulatory agencies or for other reasons, to conduct what is known as a certification campaign. A certification campaign is typically an enterprise-wide event that is regularly performed (e.g. quarterly) to validate access entitlements for the identities in the enterprise. These campaigns may be, for example, mandated as part of internal or sometimes external auditing processes. In some cases, failure to maintain certain levels of governance can result in hefty fines by government agencies. Typically, a certification campaign has a wide coverage of a large portion, if not the totality, of the population of identities of an enterprise.
Typically, during a certification campaign, a manager or an access entitlement owner is required to certify tens if not hundreds or thousands of identities for most, if not all, the access entitlements held by these identities. In other words, the manager or an access entitlement owner may be presented with a identity and an associated entitlement and asked to approve or deny the assignment of the entitlement to the identity. Again, as there may be tens of thousands of identities and perhaps hundreds of thousands (or more) entitlements in an enterprise, this certification requires substantial time and energy resources. Typically, IG industry solutions provided these managers and access owners with bulk approval mechanisms to help automate these certification events by making it feasible for these managers to issue multiple approve/deny decisions. For example, a manager could elect to approve most of identities in-bulk for the non-privileged access entitlements in order to focus on decisions pertaining to the privileged ones. As may be imagined, such bulk approval mechanisms encouraged a less than thorough review of the actual entitlements granted each identity. Thus, instead of serving to increase security and improve identity governance within the enterprise, these bulk approval methods and identity governance solutions only served to propagate any existing security risks.
Similarly, an access request may be the formal process in enterprise identity governance, to grant an access entitlement (typically for the first time) to an identity. Usually, the manager of the identity, or the entitlement owner will have to make a decision to approve or deny the requested entitlement(s) to the said identity. Although the number of access requests may not compare to those handled during a certification campaign, access requests typically require a higher level of scrutiny as they concern rewarding highly privileged entitlements or rewarding an entitlement to an identity for the first time. However, given the bulk approval mechanisms utilized by typical IG solutions, a manager or entitlement owner may wait until a critical mass of these access requests have been built up and use such bulk solutions to evaluate these access requests en masse. Such a methodology serves to undermine either the security of an enterprise (e.g., by mass approval of the granting of entitlements, some of which may be security risks) or the functionality of the enterprise (e.g., by denying access entitlements to those identities who may actually need them to accomplish their goals).
To assist in mitigating these security risks in an enterprise environment, therefore, it is of utmost importance to effectively analyze access or entitlement data in the enterprise environment to identify potential risks and accurately assign entitlements to identities. Consequently, what is desired are improved ways to quantitatively or qualitatively analyze access data in distributed networked computing environment and to utilize the results of such analysis to improve identity governance in that environment, including the evaluation of the assignment of entitlements to identities and the approval or denial of the same.