In 2012 Randall Gamby wrote an interesting article on the relationship between identity management and compliance. He stated that identity and access management (IAM) systems could be broken down into two activity areas: predetermined and real-time access control. He went on to define them as:
“Predetermined: the function of determining in advance what access a user should have, what systems a user should have access to and how a user can interact with the data on those systems” and,
“Real-time: access control that is regulated once the user has been granted an account and can make access requests. “
What both of these types of access have in common is that they can change over time. Predetermined access, usually supported in the provisioning phase by static, rules-based systems, often doesn’t complete the provisioning phase. This is due to access needs evolving as the work relationship between the employee and the employer changes. In addition, once predetermined access has been granted, it’s usually not the terminus of the deployment cycle. Many applications, both on-premises, and Cloud-based, require separate, one-off provisioning and approval by specific application owners.
Adding real-time access privileges can take many forms, but most have time-bound limitations. Temporary access may be granted due to vacations, trouble-shooting application problems, audits, and a variety of other needs.
Both types of access can create compliance problems for the organization if not properly tracked and adjusted over time. An accumulation of the real-time type of access that is no longer needed can leave an organization open to increased risk from insiders and expand its attack surface. Predetermined access that is not constantly updated means employees aren’t productive and creating value for the organization in an expeditious manner. This robs the organization of a potential advantage and can result in issues at audit time.
How do you ensure (or certify as part of an audit), in advance of either type of access being granted, that the right access is being provisioned to the right person at the right time, and that excess access is being kept in check? Behavior-based machine learning algorithms may be part of the solution.
Now widely used to detect security breaches, user and entity behavior analytics (UEBA) has a role to play in establishing that granted access is “situationally correct.” Access behavior data from current employees can provide guidance for the needs of new employees. It can also be used to discover the access that is granted outside of static rule-based provisioning systems and suggest new rules for including these one-off applications. Additionally, it can be used to find access and privileges that are granted but no longer needed. As over allocated or unused access is discovered, the system reports this information to a human or rules are put in place to automatically remove access.
For financial services companies, this approach assists with compliances like FFIEC, FRB, FDIC, OCC, NCUA, CFPB, ACSSS, CSBS, NASCUS. For companies in the EU, this can help with GDPR. For companies in power generation and distribution industry, this approach supports NERC-CIP. In the healthcare sector, correct data access is required for HIPAA. Lastly, for any business that accepts credit cards, access and privilege management is critical for PCI compliance.