Technical Field
This disclosure relates generally to the field of digital resource access, and more particularly to risk-based computer recertification of online access.
Background of the Related Art
Identity and Access Management Governance is a set of processes and policies for organizations to manage risks and maintain compliance with regulations and policies by administering, securing, and monitoring identities and their access to applications, information, and systems. Although potentially complex in implementation, the concept of Identity and Access Management (IAM) Governance is fairly straightforward: determine who should have access to what resources and who should not, according to government regulations, industry-specific regulations (SOX, HIPPA, GLBA, etc.), and business regulations and guidelines. Typically, key aspects of IAM Governance include access request governance, entitlement certifications, reports and audits, and analytics and intelligence (including role management, entitlement management, separation of duties enforcement, and privileged identity management). An end-to-end IAM Governance solution may also provide related functions, such as access enforcement, user provisioning, password management, and user lifecycle management.
Identity and access management (IAM) systems protect enterprise data and applications with context-based access control, security policy enforcement and business-driven identity governance. These systems may be operated in a standalone manner, in association with cloud-based environments, or in hybrid environments.
Automated systems for IAM health checking detect identity-centric risks within a governance system by scanning for one or more weakness patterns, such as too many Admins configured, account sharing, or cloning of access permissions. One IAM task involves conducting an audit of existing accounts and determining whether the entitlements associated with an identified account should be recertified. The notion of recertification typically involves reaching out to a user proactively and asking whether he or she still needs the account. By providing the recertification advance notice, however, the system may increase security risks by reminding the user that he or she still has the account. Indeed, in certain circumstances the recertification notice may tip a hacker, or nefarious insider, that the system has detected a dormant account, or perhaps an inappropriate use or ownership of an entitlement for the account. By receiving such notice, and knowing that the entitlement is about to be removed or discovered, the individual may escalate/initiate an attack.
It would be highly desirable to provide IAM systems with the ability to undertake recertification of accounts without at the same time increasing security risks associated with such activities.