Is your Identity and Access Management (IAM) out of control?
It’s up to each organisation to decide for themselves via coordination between the business, IT and auditors as to whether the controls that they have in place are adequate but when security teams, administrators, auditors and business managers get together they often find that they speak vastly different languages. Furthermore many security professionals view IAM to be outside of the security domain.
Perhaps we can begin to answer the question of whether our IAM is out of control by agreeing that the lingua franca of security controls is their categorisation as preventive, detective or corrective. Organising controls using this model provides a simpler means of communicating between the various constituents of controls, which is critical to addressing the question at hand.
Defining preventive and detective controls for IAM
IAM has expanded from an original focus on preventive controls, where we manage users and entitlements in target systems, towards detective controls using Access Governance.
The access recertification process in Access Governance can provide a manual level of detecting improper entitlements, but because it carries the temptation of rubber-stamping by business managers and is time-bound (typically performed once annually), it can only be described as an incomplete detective control. User activity monitoring can round out detective IAM controls by recognising unusual behaviour associated with identities in near real-time.
But regardless of the detective control used, the question is how can we reduce the response time to detect anomalies, since they can indicate a security breach?
The addition of corrective IAM controls
In his blog Martin Kuppinger contends that the next logical step will be corrective IAM controls. Many organisations have manual corrective IAM controls in place already.
For example, if a business user leaves a company, but one of their entitlements is missed in the revocation process, then we rely on the access recertification process to catch that, with the corrective control often being a ticket entered to revoke that access.
But what is envisioned with corrective IAM controls is far more automated, and necessary, in light of the growth in threats and the changing landscape of business technology to be more inclusive of partners, contractors and customers, accessing sensitive data in the cloud or via mobile devices. Dependence on manual processes will be insufficient for the speed of response and corrective action necessary to contend with expanding future threats and attack surfaces.
I’ll return to the role of process automation in closing the loop between preventive, detective and corrective controls, later in this article.
Evaluating IAM controls
So how does your organisation stack up? Here are some specific questions to consider, organised by our ternary model:
Preventive IAM controls
- Are least privileges enforced for access to sensitive information?
- Are separation of duties maintained appropriate to information security policies?
- Is there consistent and rapid revocation of entitlements when user changes occur?
Detective IAM controls
- Is access certification accurately performed on a recurring basis?
- Is privileged user activity monitored to encourage adherence to policy?
- Is abnormal user activity flagged for follow-up?
Corrective IAM controls
- Is access revoked in a timely manner when abuse of privileges or excess rights detected?
- Is access revocation performed consistently throughout the IT environment?
- Is the process for the forensic gathering of evidence invoked when abuse of privileges is detected?
These are good starter questions, and that will likely lead to even more considerations with your business partners and auditors. IAM is sometimes forgotten in the discussion of controls. However, it’s best to have these conversations when planning and evaluating controls, rather than after a breach.
Today’s attackers are far more sophisticated than they were a decade ago. While some continue to use brute-force methods, many have shifted to hijacking insider credentials as a preferred method of breach. Security controls must include identity and access management (IAM) disciplines, as IT perimeters today are shifting towards access controls rather than relying solely on the perimeter technologies of the past.
Now we can return to look more closely at the role of process automation for corrective IAM controls, as this is the least-mature component.
How process automation can help
Automation is best defined by a process when there are repeatable steps, allowing faster response and efficiency. There is a cost to building automation, and the return on that cost must first be considered.
Process automation needs at least three components; a trigger, a diagnosis, and an action or actions, each of which could each be automated if there is sufficient repeatability.
The process trigger can come from the access recertification process or user activity monitoring, in the case of corrective IAM controls. For example, if a user is demonstrating abnormal behaviour by suddenly downloading large sensitive data files, most organisations would want that to be a trigger for an automated response that restricts that user’s access or, at least, alerts a security team. Complicating things, false alarms will trigger processes, though, and need to be considered. Including a manual step at the end of the diagnosis component can help with this.
Not every part of a process can, or should, be automated. For this reason, it is often advantageous to have a “man in the loop” to make decisions and keep automation from running amuck. Automating a bad process just makes things bad faster. But the machine-repeatable parts of a process can take on the heavy lifting of gathering supporting data so that a better-informed diagnosis can be made of the situation.
Done correctly, process automation can be used for triggering and diagnosing, with corrective actions presented as a menu of options for overworked security teams. Once a manual selection is made, the actions can then be automatically implemented.
Full automation that skips manual diagnosis and goes right to temporary corrective actions should also be considered for the highest risk scenarios involving the most sensitive data. A rollback option can be used in this case if the situation is determined to be a false alarm.
Corrective actions in the context of IAM usually means revoking access, but not the identity in question. You will want to maintain a record of the identity for forensic work, which can also be automated, once the immediate risk has been addressed. This forensics work includes researching other activities of the identity through log reviews to determine if there is any additional damage.
The technology challenges
The technology to accomplish this is partially available in today’s IAM platforms that are capable of automated workflow execution, and have sufficient integration with enterprise systems and applications to revoke access when necessary. This can serve both the preventive and corrective roles. The detective role is provided by Access Governance and User Activity Monitoring technologies.
Once these foundational technologies are in place, then the next challenge is to define the process triggers, diagnosis and actions. Automation of these processes may require an IT Process Automation (ITPA) platform that integrates with and can command the other tools, and has the granularity to define steps that can be either manual or automated.
The ITPA platform must also be robust enough to handle the volume of events for potential triggers. If User Activity Monitoring is SIEM-based, then the ITPA platform must be capable of making trigger decisions faster than the event per second (EPS) throughput of the SIEM tool.
Completing the full circle of IAM controls
As indicated today’s biggest security gap is identity. Security controls need to include IAM controls as a part of the program. Preventive IAM controls are the most mature component today, while organisations are just beginning to add detective IAM controls with Access Governance and User Activity Monitoring.
Corrective controls in IAM complete the circle, as the corrective action of revoking access becomes the new preventive control. This closed-loop system is worth a funding investigation, as it has the potential to significantly reduce the risks presented by today’s threats.
This article first appeared in OH Magazine Issue 32, January 2016