Closing The Gap
Closing the gap between provisioning and certification requires clear understanding of what is actually happening in the abyss, those billions of constantly changing access relationships. You need to somehow process what human brains, or even relational databases, cannot. What’s missing is a real-time holistic view of your access risk.
The only way to achieve access intelligence is by aggregating all the data in the IAM Gap into a data warehouse just like the ones you use for business intelligence in other areas of the organization. The data warehouse should embody advanced information security, policy, governance domain expertise. Then you need to constantly apply predictive analytics to that data to analyze access risk throughout your entire organization -- literally every two minutes or so. Properly constructed, an access intelligence system like this can uncover deeply embedded policy violations or improper access. It can generate instant alerts on those violations, or produce graphical “heat maps” spotlighting looming risks and security breaches.
Here’s a simple example of how it can work: No one in a bank should have permission to both initiate and approve a wire transfer, right? Consider a teller in one of a bank’s five Springfield branches who has proper wire transfer initiation rights. One day she is mistakenly added to a security group called “Springfield Regional,” which turns out to be for regional managers only and contains wire approval. Now she has initiation and approval rights – an alarming combination.
The person who made the provisioning mistake had no idea that wire transfer approval was embedded in the Springfield Regional security group. If that access right was nested in one or several Active Directory groups, it would likely have been missed in regularly scheduled recertification as well. The access intelligence data warehouse, however, is constantly expanding and unpacking Active Directory groups as it crunches terabytes of identity and access data.
While continuously sifting through billions of access relationships, the access intelligence system picks out the effective SOD violation and sends a text to the chief information security officer’s smart phone. The CISO (or her delegate) can immediately address the problem on a mobile-friendly page, disable the account or kick off a recertification.
This next-generation IAM strategy leaps past the “business view of IT” problem as well. While it’s a laudable goal to build and maintain a current map of all IT entitlements to all business entitlements, it’s also an unattainable one. Still, by conventional IAM wisdom, this is required to understand who has access to what.
In this new world of access intelligence, however, the CISO doesn’t need to know all of the technical details behind how someone got access to something, just that they have access and, perhaps, are accessing something. In this new world, financial institutions can now gauge their risk, identify problems in real time, deal with them instantly, and achieve compliance even as access continually changes.
As holders of the money, banks will always be a target. But smarter banks will use access intelligence to make life harder for the bad guys. And under the laws of nature, the bad guys will move on to easier prey.
Chris Sullivan is vice president of product planning for Courion Corporation.