Is Your Identity and Access Management Out of Control? (Part 1)
The answer depends on which controls you’re referring to.
In part one of this two-part series, we’ll see where you stack up on the question of whether your Identity and Access Management (IAM) is out of control.
If you are a fan of security controls, then you’re in luck, because there are plenty out there to choose from. There are those, such as the SANS Institute, who have attempted to rein in the proliferation of control models and guidelines from various institutes and agencies with their Critical Security Controls.
Ultimately, it’s up to each organization to decide for themselves via coordination between the business, IT and auditors as to whether the controls that are in place are adequate. The SANS Critical Security Controls are helpful for security teams, but can prove challenging when trying to have a conversation between security teams, administrators, auditors and business managers who speak vastly different languages. Further complicating matters is the tendency of security professionals to view IAM as outside of the security domain.
Perhaps we can begin to answer the question of whether our IAM is out of control by agreeing that the lingua franca of security controls is their categorization as preventive, detective or corrective. Organizing controls using this ternary model provides a simpler means of communicating between the various constituents of controls, which is critical to addressing the question at hand.
Defining preventive and detective controls for IAM
Martin Kuppinger, founder and principal analyst at KuppingerCole Analysts, applies this simple ternary model of controls to IAM by explaining their evolution. In Kuppinger’s explanation, IAM has expanded from an original focus on preventive controls, where we manage users and entitlements in target systems, towards detective controls using Access Governance.
The access recertification process in Access Governance can provide a manual level of detecting improper entitlements, but because it carries the temptation of rubber-stamping by business managers and is time-bound (typically performed once annually), it can only be described as an incomplete detective control. User activity monitoring can round out detective IAM controls by recognizing unusual behavior associated with identities in near real-time.
But regardless of the detective control used, the question is how can we reduce the response time to detected anomalies, since they can be a signal of a breach?
The addition of corrective IAM controls
In the model Kuppinger lays out, he contends that the next logical step will be corrective IAM controls.
To be fair, we have manual corrective IAM controls in place already. For example, if a business user leaves a company, but one of her entitlements is missed in the revocation process, then we rely on the access recertification process to catch that, with the corrective control often being a ticket entered to revoke that access.
But what is envisioned with corrective IAM controls is far more automated – and necessary – in light of the growth in threats and the changing landscape of business technology to be more inclusive of partners, contractors and customers, accessing sensitive data in the cloud or via mobile devices. Dependence on manual processes will be insufficient for the speed of response and corrective action necessary to contend with expanding future threats and attack surfaces.
Part two of this series will expand upon the role of process automation in closing the loop between preventive, detective and corrective controls.
Evaluating IAM controls
So how does your organization stack up? Here are some specific questions to consider, organized by our ternary model:
Preventive IAM controls
1. Are least privileges enforced for access to sensitive information?
2. Are separation of duties maintained appropriate to information security policies?
3. Is there consistent and rapid revocation of entitlements when user changes occur?
Detective IAM controls
1. Is access certification accurately performed on a recurring basis?
2. Is privileged user activity monitored to encourage adherence to policy?
3. Is abnormal user activity flagged for follow-up?
Corrective IAM controls
1. Is access revoked in a timely manner when abuse of privileges or over-credentialing is detected?
2. Is access revocation performed consistently throughout the IT environment?
3. Is the process for the forensic gathering of evidence invoked when abuse of privileges is detected?
These are good starter questions, and that will likely lead to even more considerations with your business partners and auditors. IAM is sometimes forgotten in the discussion of controls. However, it’s best to have these conversations when planning and evaluating controls, rather than after a breach.