The Business Value for IAM AI




Several IAM vendors have either released or are working on integrating artificial intelligence (AI) and machine learning (ML) into their Identity Governance and Administration (IGA) products. Beyond the marketing hype of artificial intelligence, what exactly does AI and machine learning give us?

The Access Decision Dilemma

Access certification campaigns has been a staple of information security programs since we have had to spell SOX. The ability to prove that managers and/or application owners have reviewed existing user's access on a regular basis is foundation of keeping auditors happy and keeping board members out of jail. So, what exactly is the issue? It's that satisfying risk and compliance requirements is only a passing grade. To really achieve security we need to ensure that users only retain the access that they need to perform their job (i.e. least privilege). 

Doesn't conducting regular access reviews achieve this? To answer this question, let's look at the individuals who are responsible for making these decisions. Access reviews are typically run by the information security team. This team is responsible for ensuring that application access is securely collected, collated and sent to the proper decision makers which are typically the user's manager or the application owner, and ensuring access decisions are fulfilled and are auditable. Application owners understand what a specific entitlement grants users access to but may not understand the business to be able to decide if specific users should have that access or not.

Similarly, user or department managers understand what users do from a business perspective but may not understand the technical details of the entitlements they are being asked to review. One solution for this is to provide managers business friendly context for the access they are being asked to review, but collecting this information is incredibly laborious and needs to be reviewed/renewed over time. Without the business context of how revoking a user's access will affect their ability to perform their job managers will always err on the side of productivity. The result of this is that most access reviews are rubber stamped and users retain access that they no longer need for their current role.

Another common issues is the huge number of access decisions that reviewers are asked to perform on a regular basis. During an assessment at a large financial organization we found that one application owner had over 32,000 access decisions that they needed to perform on a quarterly basis. The reality is that there are not enough hours in a day for a small army of informed reviewers to effectively decide on a case-by-case basis that each access is appropriate or not. 

Enter the machines...

Artificial Identity Intelligence

Artificial intelligence and machine learning is all about pattern recognition and more importantly finding exceptions to the patterns. By applying AI and ML techniques to identity and access data we can uncover several important patterns to aid in access decisions. These include:

Peer-Group Analysis

Using HR data such as department, title, job code and location can provide the ability to segment users to identify common and uncommon access patterns known as peer-group analysis. Providing decision makers with details around what is common allows them to focus on what is uncommon amongst populations of users. This allows managers and application owners to focus on the exceptions rather than the rules. By bulk-approving common, low-risk access managers and application owners can focus on the uncommon access amongst user populations to drive better decisions which helps drive least privilege.

Time-based Anomalies

The problem with periodic access reviews is that they are periodic. Even if an organization is performing quarterly access reviews there are several months in between where users can be granted inappropriate access. Using AI and ML these anomalies can be detected when they happen and trigger actions such as email notifications, on-demand access reviews and alerts in a security dashboard. In a worst case scenario this can guard against fraud and collusion such as a system administrator granting an unauthorized user access and removing it before the next certification campaign to stay under the radar.

Intelligent Access Requests

While we have been talking about access reviews, requesting access is equally as important. When onboarding new users, many organizations require the hiring manager to submit requests for the access that the user will need to perform their job and in many cases the manager doesn't know what to request access to for the same reasons described above. In many organizations this is done through a "like Mike" request to duplicate an existing user's access, which is extremely bad practice, especially if the manager doesn't have visibility into what the user they are asking to duplicate actually has access to. AI-driven access requests will give the manager or requester intelligent suggestions of what a new employee or contractor may need based on demographic information such as their title, department, job code and/or location. Such systems also give the requester a intelligent risk-analysis if the access they are about to request is unusual or high-risk.

Effective Role Management

Role-based identity management has been the nirvana of the IAM industry since the late 90s. The idea that an IGA system can automatically assign a role to a user based on data from an authoritative system such as an HRIS and automatically provision the users access is an almost impossible goal of most IAM projects over the last 20 years. The problem is that most IGA solutions are not intelligent and requires many hours of analysis, typically with spreadsheets and pivot tables to identify the patterns among groups of users to determine what access should be provisioned with a role.

Many IGA solutions have incorporated role mining and role modeling capabilities to help with this. These solutions allow you to run an analysis on a small group of users to identify patterns of access that can be packaged in a role. There are a few caveats to utilizing a traditional role mining solution:

Garbage In = Garbage Out

Unless you have implemented effective access reviews and ensured that existing users only have the access that they need, you will end up with roles that are bloated with unneeded access. Bloated roles hide the issue and effectively make the problem of ensuring least privilege worse. Incorporating AI into access reviews as described above helps to solve for this.

The SoD Conundrum

Organizations that have separation-of-duty concerns need to be careful when implementing roles through role-mining. Some IGA solutions have the ability to enforce SoD policies when running role-mining to ensure that toxic combinations of access don't end up in hidden in a role. This of course requires SoD policies to be fully built out before performing role mining. 

Expecting an AI solution to identify SoD conflicts without any input is a bit of a stretch but we should expect that AI-driven role mining will be able to effectively incorporate SoD policies in the the analysis.

Role Mining Is Incomplete

Traditional role mining solutions only address half of the problem, which is identifying patterns of access based on an identified user population. Before you run an analysis you have to input how you want the users and applications to be included. For example, all users in a specific department or title. Current role mining capabilities in IGA solutions do not have the ability to perform analysis on large communities of users and identify how those users should be optimally divided based on common attributes. That has to be manually decided up front. 

AI-driven role mining will have the ability to analyze large populations of users (e.g. all employees) to not only identify patterns of access but more importantly how those patterns align to common attributes among sub-populations of users. For example, all users in the Austin office with title "Help Desk Engineer 1". This is not an offering of any AI solution today but this is definitely in the art of the possibility and based on some conversations I have had with multiple vendors, this is in the works.

The Life-Cycle Of A Role

Roles have a shelf life that can be affected by the natural changes that organizations go through over time. For example, a business unit is reorganized or one application is replaced with another. Organizations that are going through an acquisition or divestiture are especially affected by this. The reality is that roles have to be reviewed not only for their contents but the populations of users that they are attached to. Some traditional IGA solutions have the ability to have role owners review the entitlements that are attached to the role, but not re-analyze the users that are attached to the role. By attached I mean through an automated filter. Roles that are requested are typically able to be reviewed through a normal user access certification. AI will eventually give us the ability to re-analyze the optimal population of users that a role should be attached to.

Wrap Up

There is much hype in the market about artificial intelligence. While we are probably many decades away from sentient computers making every decision for us, we are very close to having basic AI that can help solve for some of the more difficult (and mundane) problems of implementing an effective identity and access management program. I will post later on specific vendors and solutions that are solving these problems today, but in the meantime keep an eye out and consider how these solutions can shape your IAM solutions today.

There are many other applications of artificial intelligence outside of what I discussed here such as advanced authentication solutions and protecting privileged access. If you have any questions or ideas of your own feel free to reach out.

Comments

Post a Comment

Popular posts from this blog

Load Balancing Web Services with WebSEAL

I came across this bit of information from an old email from several years ago, and wanted to capture it here for future reference. In case you're thinking of using a WebSEAL server as a proxy for a web service based application (SOAP or REST), there are some details you need to be aware of in how you tune your servers for a successful implementation. The advantage to using a WebSEAL server for proxying web service traffic is that you can enforce authorization based on the client ip address (typically a client web application). This isn't as strong of security as performing authenitcation and authorization using WS-Security or SAML, but if these options aren't available, WebSEAL can increase the security by only allowing certain ip addresses to access the application using POPs (Protected Object Policies). What you have to be aware of is the fact that the client opening the connection to the WebSEAL server is typically another application. This creates a problem if th...
Read more

Leveraging Azure MFA with CyberArk

Image
Posting this here for future reference. We had a customer that wanted to leverage Azure MFA for authenticating users (IT Administrators) to CyberArk for accessing servers and checking out privileged credentials. CyberArk has two mechanisms to support this: 1) RADIUS authentication or 2) SAML authentication. We initially attempted to implement RADIUS authentication using Microsoft's Network Policy Server with the Azure MFA plug-in but threw up the white flag after many hours of debugging network packet captures. In the end we implemented this use case using Azure SSO to provide SAML-based single sign-on to CyberArk. RADIUS authentication is a bit more "legacy"but has been the de facto protocol for step-up authentication use cases for many years. I won't get into the history of RADIUS but it has been around for a very long time (almost as long as the internet) and is widely used for network authentication such as to an IPSEC-based VPNs and 802.11X based Wireless network...
Read more

Role-based Identity Management Best Practices

Image
This is a white paper that I put together a few years ago for a large financial organization that was struggling with how to approach RBAC or role-based identity management without having the new AI and machine learning capabilities with some of the new IGA solutions such as SailPoint IdentityAI. Introduction Role-Based Identity Management and Role-Based Access Control (RBAC) has long been the nirvana of Identity & Access Management programs since the concept of distributed systems was introduced. The idea of aligning access needs to the business functions that users fulfill and streamline provisioning of that access has proved to be a constant challenge in terms of both IT operational efficiency as well as Compliance, Risk and Security needs. This paper aims to address the challenges for effectively managing role-based access and identify best practices to help organizations achieve better IT efficiency, reduce risk and increase security for their users, data and applications. Rol...
Read more