Identity Analytics: What is it all about?
One of the hottest topics in the world of cybersecurity today is identity analytics. However, few people truly know what it is and what it means. Simply put, identity analytics helps companies to reduce risk and prove compliance based on identity-related data. They ingest and correlate all types of data within an information system, whether it be from repositories, directories, applications, or HR files, and then provide actionable information as well as show any anomalies or gaps that are detected. In this way, identity information is monitored, and risks are highlighted and reported to avoid this.
Identity analytics show organizations who has access to what resources and can help managers be sure that the right person has the right access to the right resource at the right time. Techniques are included that provide insight into dormant and leaver accounts, incorrect entitlements, misaligned descriptions and other data quality issues. Advanced analytics can go even further by assigning risk scores to anomalies which helps with adherence to compliance and security policies. Unusual behavior can be tracked and access rights can be visualized with mapping techniques that show a 360°view of an identity’s access and accounts across the information systems.
Identity Analytics: The Enigma of Poor Data Quality
One of the most important aspects of using an identity analytics tool is the ability to clean up poor quality data and, once completed, to maintain the level of quality moving forward. These tools are designed and based on a simple but fundamental principle: only accurate, complete and validated data can allow for the making of sound decisions. According to Gartner,
“Through 2022, identity governance and administration implementations that start with cleanup analytics will show twice the ROI as ones that don’t.”1
Many tools provide an automated solution for manual processes which still exist today. Besides the cost and time savings, automation provides a level of accuracy that cannot be obtained from tasks that are prone to human error. This simplification is appreciated during audit operations when time is of the essence and errors can be costly. Reporting based on the results of these processes is generated instantaneously and offers a level of precision that cannot be had by other means.
How Identity Analytics Tackles Zero Trust
In today’s world of increased cyber threat, the first line of defense is monitoring identity access within any organization. The focus is on Zero-Trust, which entails the dynamic authorization of all users of company resources and assets every time they try to access to them. The continuous review and validation of whether this access is needed ensures that the company’s security posture is being upheld. Some of the key forms of cyber risk today include insider threat by current employees or third-party collaborators, theft of credentials and privileged account manipulation. To fight back, many organizations rely on identity analytics solutions to improve, monitor and govern their access policies and entitlements. In this way, risk related to access can be mitigated and compliance with both internal and external security policies and regulations can be controlled.
Identity Analytics: Key Functions for Cyber Defense
The following summarizes the necessity of identity analytics and the key role it plays in a company’s defenses against cyber risk. An identity analytics solution aims to:
- identify who works for the company, who can access infrastructures, applications or data, and what privileged accounts are present in the information system.
- check for data quality issues, orphaned, dormant, blocked and leaver accounts.
- verify that the principles of least-privilege, need-to-know, separation of duties and generally of security policies are being respected.
- detect user risk, residual access rights, atypical situations and abnormal changes.
- involve business managers, launch access review campaigns, and save time by automating and simplifying the process for all stakeholders.
Identity Analytics: Why do we need it?
“Credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system.”2
Because of this, identity analytics should be front and center to combat them. However, there is a fine line between granting access and assessing the risk linked to doing so. Security policies must be respected while giving employees the level of access and permission they need to perform their job functions.
Two things that destabilize companies with regards to their security posture are how quickly cyber criminals change and fine-tune their attacks and how difficult it can be for the threats that lead to the attacks to be seen. What makes this most stressful is the fact that such a high number of identities have access to so many databases, applications and networks, whether or not these identities reside within the organization itself. Managing employees and third parties with external access to an organization’s information systems is just an extra layer of protection that needs to be considered. Because credentials that are accessed or stolen is high on the list of ways that hackers enter a company’s networks, it is obvious that the focus should be on monitoring and governing the identities, the permissions they have, and the assets and resources to which they have access.
Identity Analytics: Protect Yourself and Your Company
The most effective method to manage this in today’s cyber-threatened world is to implement an identity analytics solution. The information that is provided is critical to keeping companies safe and protected from fraud and infiltration. Some of the key features of identity analytics solutions available on the market can help to:
- verify that the principle of least privilege is in place and unnecessary and illegitimate access rights are removed,
- perform access certifications based on controls and the risks highlighted and ranked as a result,
- monitor and control privileged accounts which require extra scrutiny due to the sensitive nature of the resources they access, and uncover toxic access combinations within the realm of segregation of duties guidelines.
The Principle of Least Privilege
In a perfect world, people should only be able to access assets, systems and resources that directly relate to the functions linked to their job responsibilities. Although it is a goal, this perimeter often slips for several reasons.
One of the main reasons is that the person changes jobs internally. Sometimes it is easier to just add new permissions and entitlements that are aligned with the new position than to research all the existing access that was granted for the past one. If the new position is a promotion, the thinking is that there is less of a risk for the employee to keep his previous access rights because he can be “trusted.”
Another reason why an employee might have stepped-up access that gives him the ability to utilize certain resources is because he was temporarily assigned to a special project. During the life of the project, these permissions allow him to access what he needs to do the job. But what happens when the project is completed? Very often, the fact that the permissions were temporarily granted is forgotten, and the employee moves forward with a new level of access rights that no longer fits his level of responsibility.
Identity analytics has a goal of keeping an eye on privileged access and the behavior of those who have it granted to them. If any anomalies or misuse surface, the tool will highlight the issues and suggest corrective actions that will mitigate the potential risk.
Access Certification based on Risk Scoring
In today’s digital world, people tend to have more access rights than are typically needed for their job. But how can companies keep up with the exponential increase in privileges to access their data, applications and networks? Some try to do it manually, but it is a tedious, time-consuming task that managers would just as soon ignore – and some of them do. When asked to review the access rights assigned to the members of their team, they quickly glance over it and hastily approve them without properly considering the possible security issues that these actions could cause the company down the road.
What identity analytics tools provide is an automated way to get access certification quickly, effectively, and accurately. Through machine learning (ML) and artificial intelligence (AI) techniques, all data sources from a company’s information system are collected and correlated, and based on behavior and usage, a risk score for each identity is provided. These risk scores can be configured to alert management to the highest levels of risk and the users associated with them. By addressing the riskiest cases first, the overall potential for cyber threat is reduced in a sweeping manner. Some organizations choose to focus on the identities with the highest risk to reduce the frequency of their access review campaigns. But even if the decision is to perform the certification on all the accesses, the identity analytics solutions can handle that in an automated and efficient way, including data ingestion and remediation suggestions to improve the amount of time that review owners must spend on this task
Privileged Account Monitoring
Typically, two types of privileged accounts can be present with a company:
- user accounts with heightened administrative privileges, and
- service or technical accounts used by applications or in other operational processes.
Cyber criminals know that they will hit pay dirt if they can find a way to infiltrate a company using a privileged account that will easily lead them to some of the most sensitive data and information within its information systems.
Thankfully, software solutions that focus on identity analytics can hone in on any changes in privileged access, seeing who authorized it and what resources can be utilized while, at the same time, scanning for unused privileged accounts that could be ripe for attack by a malicious corporate intruder. Any attempt, whether intentional or not, to share credentials or give access to safes that were not authenticated through the stringent provisioning processes will be spotted and flagged with the tool.
Segregation of Duties
Segregation of Duties (Sod) is a concept linked to a company’s security policies that monitors and controls a user’s access to prevent a toxic combination of permissions that could potentially create significant risk to its assets. An example of this would be if someone in the finance department had permission to write checks and also sign them. This is the perfect storm for someone who wants to partake in fraudulent activities that could lead to significant finance loss. Very often, the first activities involving tampering of any kind fly under the radar and are not noticed until it is too late.
One of the ways to detect any type of violation related to toxic access combinations is by using an identity analytics tool that will, upon referencing a company’s SoD matrix, uncover any anomalies and overlapping access right combinations that could permeate internal security policies and regulations. The visibility that is provided with the tool helps management to better monitor and control the granting of access that could create potential risk if coupled with conflicting permissions elsewhere.
Identity Analytics: How does it work?
A remarkably simple definition of identity analytics can be stated here: Identity analytics is the science of analyzing access rights. The five main objectives of using identity analytics as a means of ensuring compliance of access rights are:
- identifying who is who and who has access to what,
- verifying compliance with security polices and certifying user access,
- detecting anomalies and scoring the level of risk,
- performing general controls to mitigate issues, and
- recommending access rights and revocations.
Identity Analytics: Painting the Picture
The diagram below is a clear and understandable explanation of how one can envision an identity analytics solution at work. First, an agnostic approach to data collection and ingestion helps connect to all data sources such as repositories, directories, databases, applications, HR data and shared files, to name a few. Data ingestion can be done with prefabricated connectors or by using extraction scripts and uploading flat files into the tool. Once ingested, the data is correlated and analyzed to provide an identity inventory and any anomalies found during the correlation process.
By cleaning the data of its inconsistencies, missing information and other errors, performing the various functions will lead to more successful results instead of gaps and defects linked to data quality. It is a best practice to review the data quality and perform the cleaning upon each ingestion so that, once cleaned the first time, it can maintain its high level of accuracy. This is referred to as the “Get Clean, Stay Clean” approach.
Once the data quality has been analyzed and improved, the identity analytics tools can then proceed with providing the following services:
- an access inventory, the first step towards access rights monitoring and governance
- automated access reviews of user, service or technical accounts to meet compliance guidelines
- role mining functionality and catalog creation to help streamline the certification process, and
- segregation of duties controls to uncover toxic access combinations that can compromise a company’s security posture.
Rebuilding the Access Chain with Identity Analytics
One of the key features of an identity analytics tool is its capability of rebuilding the chain of access once the data is initially ingested and correlated. As shown below, there are a series of questions considered to reconstruct the way that access was granted and if it is legitimate.
To start, the main question is this: Why was access granted? What resources were meant to be utilized with the assignment of the rights linked to this access? Once answered, the next step is to see to whom or what this access was assigned. This is often referred to, in a general way, as an identity. Thirdly, there is scrutiny as to how this identity gained access. What was the process, and who approved it? Similarly, the tool will naturally drill down to hone in on the resources and systems to which this identity has access. What permissions have been granted, and are they necessary? Is there any potential over-allocation of rights linked to this identity’s access privileges? And finally, by using logs and other login data, there is traceability as to what was accessed, when it was accessed and what was done with that information. Is it within the scope of the identity’s job function? Did any activity seem suspicious or out of line?
Identity Analytics: Retaining Historical Data with Snapshots
One of the most appreciated features in certain identity analytics tools is the ability to retain historical identity data in a series of snapshots. What this means is that each time that data is ingested, correlated and analyzed, a “state of the data” image is taken and held within the tool.
This is the feature that is most appreciated by auditors who, when issues and inconsistencies arise, have the recourse to go back and look at the data the way it was prior to the anomaly occurring. It also assists with a quick way to focus on delta changes that may have happened since the last time the snapshot was taken. These identity data snapshots are kept as long as necessary or needed and are updated each time that data is ingested and utilized for an identity inventory, access review or other function.
Identity Analytics: The Benefits
Now that we have focused on why organizations rely on identity analytics solutions to protect from cyber risk and how these solutions work, there are true benefits and advantages of implementing this powerful tool. In addition to uncovering risks linked to identity data, such as orphaned, dormant and leaver accounts, these tools are the go-to solution to:
- Get a 360°-view of who has access to what, no matter the means of using that access, such as on-premise or in the cloud
- Use a system of risk scoring to help companies target the most problematic accounts, whether they be user, service, or technical, and speed the clean-up of compliance gaps
- Reduce the attack surface by monitoring and governing all access points
- Take advantage of IT general controls and integrated reporting features to help with audits and adherence to both internal and external security policies.
- Implement zero-trust initiatives by relying on the principles of least privilege, need-to-know and segregation of duties.
Identity Analytics: The Go-To Solution
In this world of the ever-increasing number of identities within a corporation’s information systems, in addition to the number of directories, databases and applications than need to be accessed daily, the benefits of having an identity analytics solution that provides overall visibility into this jungle of data and information is the foundation to maintaining security, protecting data and resources and fighting back against cyber threat.
Identity Analytics: The Best Choice to Enhance an IAM Program
An Identity and Access Management (IAM) tool has as its prime goal to monitor and manage access that users have to systems, data, applications and other resources and that this access is aligned with the functions that are performed within the scope of his or her position. Additionally, IAM helps to govern these accesses with respect to any internal or external security policies, preparing to prove compliance to auditors.
Many IAM projects get started with the best of intentions and energy. However, rather quickly, the processes become unwieldy, and the results are less than satisfactory. Gartner has even been quoted as saying that over half of the attempted IAM program deployments end in failure because of the inherent difficulties executing them.
This is where identity analytics can step in and support these efforts. Obstacles and frustration melt away as these tools can help set up the foundation of an effective IAM program. The scope and perimeter of the data to be analyzed is enlarged, and the data itself is subject to cleaning. Without this step, any results that are produced can have a high level of inaccuracy. There is also the risk that all permissions and access rights are not ingested, giving only partial visibility to what the program is trying to do: manage identity access.
Identity analytics is the best way to have a thorough understanding of who has access to what resources, which is the springboard to an effective and successful IAM program for any company. Additional details about how and why to start any IAM project with identity analytics can be found in this article on the subject.
Identity Analytics: The Only Surefire Way to Monitor and Protect Access
In summary, utilizing identity analytics is a crucial part of access management in a world of increasing cyber threat and allows the user to:
– identify and analyze all data sources and access rights present in all systems within the company,
– consolidate the data by automatically and continuously correlating it (for example, Active Directory repositories and HR data), and
– view the data’s history in report format to perform comparative analyses.
Facilitate decisions, demonstrate access right compliance to auditors, and detect all the risks related to access rights of user, application and technical accounts. This is what a dedicated identity analytics solution promises and makes the return on investment worth its weight in gold.
1 Katherine Cola, Identity Analytics and the ‘2019 Gartner Magic Quadrant for Identity Governance and Administration, Security Intelligence, October 18, 2019
2 Verizon, Data Breach Investigation Report, 2022