Facing the Ongoing Challenge of AuthZ RecertificationOren Harel March 6, 2017
Failing to maintain the correct calibration of Identity Access Management (IAM) systems within dynamic business environments pose significant risk to companies. When AuthZ processes and controls are too loose, sensitive data is at risk and companies face censure for failing to abide by statutory and other compliance obligations. But if controls are too tight then employees and subcontractors cannot do their work. Even worse, customers cannot access products and services. It is not for nothing that data security and IAM are garnering C-level attention and that IAM investment represents 30 percent or more of the total information security budget of most large institutions. One of the ways to be certain that this investment is well spent is by ensuring the development of robust Authorization recertification capacities within the broader context of access governance policy and implementation.
Recertification starts with clear IAM access policies
Recertification processes and policies, together with the technology that support them, allow enterprises to deal with the following questions on an ongoing basis: (a) are the right controls in place; (b) are the controls effective; and (c) can I meet and prove compliance? Good recertification processes and policies, together with their supporting technology, enable enterprises to respond to these questions affirmatively.
IAM governance involves the establishment and management of policies, processes and accountabilities for core IAM functions, such as defining roles and entitlements, and managing approvals for access requests. It concerns the people and process elements of IT. It is critical to the long-term success of any IAM deployment and management. To function effectively, IAM governance must involve relevant cross-organizational team members such that auditors, security personnel and managers responsible for end-user access who are able to confirm that workflows and rules as they are configured within the provisioning system are correct.
A word to the wise: when setting governance policies and processes, avoid the temptation to limit the number and levels of team members engaged. While there is clearly no interest for a bloated and unwieldy IAM access policy team, skimping on people and process will be harmful for successful IAM functioning. This is because a provisioning system does what it’s been configured to do. If the rules are wrong, the tool will provision accounts incorrectly.
Access creep happens when employees change roles, gaining access suited to their new needs, while not giving up those areas of access that are no longer necessary for their new functions. This is of concern for two main reasons:
(a) an employee with access privileges no longer needed poses a risk should he or she ever be tempted to access data or use functions to the detriment of the company; and
(b) should that employee’s account be compromised, an attacker would gain a greater level of access to data or functions than it would have had the employee’s account been limited to just the access that the employee truly needed.
Recertification is a bulwark against the dangers of access creep, halting it while ensuring that all necessary access is facilitated.
Automating Recertification processes can optimize employee investment in access governance
While access governance relies on all three legs of technology, process and people, successful automation of processes and effective reliance on leading technology solutions can ensure: (a) that employee-time spent managing and implementing access governance is well spent; and (b) that the processes themselves are not overwhelmed by the scale of the challenge. As noted above, the scale of the challenge is significantly greater than in the past because of the ever-increasing pace of enterprise activity and also because of the environmental complexity caused by BYOD/IoT devices, the use of SaaS, and cloud-based applications.
IDaaS, IAM and the recertification processes going forward
Accepted industry wisdom states that we are entering a period involving the re-evaluation of technologies in place and the standards that govern them. This re-evaluation aims to enable enterprises to better monitor and maintain control of their applications and data. With the increasing reliance on cloud based applications and services, there is a constant threat of losing control. This is anathema from the compliance, governance, and vulnerability perspectives.
Together with this, there is clear understanding that IDaaS and various other cloud-based solutions respond to real needs, such as lowering the average number of distinct credentials per user. This number of distinct credentials per user, classic measure of IAM efficiency, has been used to justify single sign-on (SSO) initiatives, and is in response to the obviously problematic industry average of 10 to 12 unique accounts per user.
The extent, seriousness, and vulnerability with which IAM responses aim to cope has inspired unique solutions that open up new possibilities for IAM governance and overall process, including processes related to recertification. PlainID, for example, utilizes a dynamic rule engine to “calculate” authorizations based on time, place, event and other attributes, thus making the authorization smarter and limiting vulnerabilities. It clearly visualizes the connections between people, devices and services and all those authorizations.
PlainID separates the business logic, the Authorization policy, from the technical implementation, enabling certification of the policy, rather than the static roles. It eases the re-certification process, simplifying Authorization to one point of decision, one point of control and one point of view. This provides an elegant, agile, standards-based platform that lets business owners control and fine-tune access by facilitating a clear view and understanding of every authorization level.