Identity and Access Management: Filling the Gap in Identity and Access Governance
Traditional identity solutions focus on access to applications, but that misses as much as 80 percent of corporate data.
Matt Flynn
We’ve entered the age of access governance. Organizations need to know who has access to what data and how they were granted that access. Identity and Access Governance (IAG) solutions address these issues while managing enterprise access. They provide visibility into access, policy and role management, and risk assessment—and they facilitate periodic entitlement reviews of access across numerous systems. Most enterprise IAG solutions are missing a key piece to the puzzle, though: unstructured data.
Over the past five years, research has concluded that nearly 80 percent of enterprise content is unstructured. That means data doesn’t exist in a managed format where access is granted via a formal application or process. While that percentage is holding steady, the actual amount of unstructured data is growing consistently. Many organizations estimate an annual data growth rate of 30 percent to 40 percent across their file systems.
So why do the systems designed to manage risk and control access across the enterprise ignore 80 percent of the data? The answer is partly historic, partly technological and partly business-related. IAG solutions grew out of Identity and Access Management (IAM) solutions. Many of the top IAM vendors have introduced IAG solutions to supplement their offerings. The two leading independent IAG vendors were both founded by veterans of the IAM space. This is significant because IAM solutions have traditionally focused on access to applications instead of data. Those providers simply transitioned that architectural design into their current IAG solutions.
In their earliest iterations, IAM provisioning systems simply synchronized user accounts from one data store to another. They grew to enable password management, single sign-on, advanced access management workflows and other access-management functions. The primary focus, however, has always been managing user accounts and user access to applications.
Governing Access
At a basic level, today’s IAG solutions report on which accounts exist for each application or which users have the ability to authenticate to that application. At a deeper level, they might also answer what those accounts are authorized to do within certain applications. They answer these questions by reaching into the applications’ entitlement stores and gathering information about user accounts and related permissions. However, by definition, unstructured data doesn’t fit into that model.
IAG vendors may have realized that incorporating unstructured data would be critical to a comprehensive enterprise access strategy, but the core technology they use is designed to connect with various entitlement stores to retrieve relevant access information. In the world of unstructured data, there are no centralized entitlement stores. Entitlements are attached to the resources themselves and are therefore spread across the IT landscape.
Large enterprises often have tens of thousands of servers with millions of folders translating into literally billions of individual permissions. Because most access is granted via groups, you must evaluate each entitlement by enumerating through each group and parsing the members along with any of those nested groups.
For Fortune 500 organizations, the individual mappings of users to groups might number in the tens of millions. Evaluating this complex hierarchy of permissions is a complicated technical effort that leverages a totally different technical paradigm than that of most enterprise applications.
Most organizations would likely posit that their most critical information is managed within business-critical applications. Their human resources, enterprise resource planning, financial, supply chain, business line and other critical applications hold 20 percent of the most sensitive corporate data. IAM and IAG solutions that focus on those applications enable insight into the most essential of corporate information. The rules have changed, though.
All or Nothing
The top 20 percent of organizational information simply isn’t enough. Although a large portion—perhaps even the majority—of the other 80 percent of enterprise data may not be classified as high-risk or sensitive, it’s indeed an example of the needle-in-a-haystack scenario. There’s little doubt that somewhere across that huge amount of data is information that ought to be protected. Auditors and security officers are well within their rights to expect controls around and visibility into that unstructured data environment.
Even in heavily regulated environments such as finance and health care, business professionals regularly utilize unstructured data repositories such as distributed file systems and collaboration suites like Microsoft SharePoint to store, share and collaborate on sensitive data.
The lack of uniformity and control across these platforms represents significant risk, cost and effort during an audit. You need to address this problem and prepare your organization for a security review or compliance audit. Here are a few steps you can take to augment your IAG program in preparation to meet ongoing compliance requirements:
- Active Directory Cleanup: Active Directory is the launch pad for enterprise access. Access governance starts with gaining better control over Active Directory. This means understanding where high-risk and toxic conditions occur such as circular group nesting, dormant user accounts and user token bloat.
- Group Ownership: Most access to unstructured data is granted using a role-based model implemented via Active Directory group membership. Groups are therefore a core component of the access security model. Any evaluation of group memberships or group access starts with assigning a group owner who will take responsibility for the group and the access it enables. Depending on the security model, a group might represent an organizational designation (such as a department or team), or it might be more functional in nature (such as granting access to specified resources).
- Group Utilization: Scan the enterprise wherever Active Directory groups are being used and create a unified view of group utilization. Understanding where the groups are being used to assign permissions is a prerequisite to performing entitlement reviews or access audits. It also helps with group cleanup, consolidation and migration to an improved security model such as the Dynamic Access Controls being introduced with Microsoft Windows Server 2012.
- Content Owners: Content owners aren’t necessarily the same as group owners. Assign content owners who will take responsibility for reviewing content access rights. These data custodians take responsibility for access to the information based on its business usage. This can be an automated discovery process based on permissions, recent activity or advanced logic that performs discovery based on Active Directory attributes. For example, if recent activity and access rights are similar, the process can look for a common manager of those who have access. This manager is a good target for ownership. Because automated processes aren’t always foolproof, you might choose to insert a step in the process where probable owners can confirm their accountability and recommend other potential owners.
- Resource Cleanup: As you scan resources across unstructured data, you should collect information such as file size, content type, recent activity and other characteristics. You should also scan to identify high-risk content within files. Look for orphaned permissions, access granted to dormant user accounts, unused access, unused content and high-risk conditions such as open access. This metadata helps you prioritize where to further lock down access, where content could be archived and where you can remediate toxic conditions.
- Security Model: Articulating your intended security model is an important step in the process. Once you’ve identified the goal, use the data collected during the previous steps to validate that the model is implemented and enforced. You’ll also need to incorporate any resources existing outside of the model. This often relies on the prerequisite steps of understanding, for example, how groups are utilized and how permissions are applied. A well-defined security model enables improved audit response.
The preceding steps might not yield any magical results. There’s no flash or glamour. Business executives might not even notice that you’ve done anything. There’s tremendous inherent value, however, in performing these tasks.
The next time an auditor asks who has access to a resource, you can show them the intended security model, produce a report on the actual permissions, show how they’re applied and provide the name of the person responsible for reviewing that access. When you can give those answers without breaking a sweat, you prove that you’re in control. And that’s ultimately the intent of security audits: to prove control and visibility.
Also, once you’ve completed these steps, you can seamlessly incorporate the effective permissions mechanisms by which rights are granted—and the related analysis such as data classification and risk scoring—into your traditional IAG solutions. They can be organized and normalized within a centralized entitlement store that fits the IAG discovery model.
In an age where regulatory requirements seem to consistently grow in number and complexity, you can no longer ignore unstructured data platforms. It’s not enough to attempt to make sense of permissions one resource at a time. It’s time to do some spring-cleaning on a global scale. Cut down on the overall complexity and enable a model through which you can effectively manage and report on access to all data resources.
.jpg "Raymond Chen")
Matt Flynn is director of Identity and Access Governance Solutions at STEALTHbits Technologies Inc., a provider of IT security and compliance solutions. Flynn previously held positions at NetVision Inc.; RSA, the security division of EMC Corp.; MaXware (now a part of SAP AG); and the security services division of Unisys Corp.