SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Mitigating identity-related risks: The complete package or a one-man show?
Wed, 5th Jul 2017
FYI, this story is more than a year old

IT security continues to be a key concern for organisations in Asia Pacific. According to an IDC report, a significant number of organisations within the region are operating at the lowest states of IT Security readiness. As such, Identity and Access Management (IAM) is an essential tool to strengthen security and mitigate risk.

In the world of traditional IAM, two factor authentication, single sign-on, provisioning, governance and privileged management are just some of the related disciplines. More recently, buzzwords like “analytics” have begun to proliferate into the realm of IAM – and thus the emergence of “Identity Analytics.” Like most emerging technologies, the term “Identity Analytics” is often misunderstood and misconstrued. Organisations really need to take a step back, look at the different areas of identity analytics, why they might need them, and which will bring the most value.

The question then arises, when it comes to reducing risk before an issue occurs, do organisations need the unequivocal strength of The Avengers or could they hedge their bets on just Iron Man?

Analytics is the practice of pinpointing key information residing in large amounts of data to provide visibility and comparison that can often predict what might happen next. IAM solutions have been primarily focussed on the area of Behaviour Analytics – i.e., looking at what type of behaviour occurred and the reasoning behind this behaviour. However, they should also be focussed on Identity Analytics and reducing risk before bad behaviour impacts the business.

Behaviour Analytics (Iron Man)

Known also as User Behaviour Analytics (UBA), Behaviour Analytics is the practice of gathering information and data based on the user's behaviour. Once supplied with this information, the UBA tool can identify what behaviour/usage deviates from a “normal” baseline to determine what action, if any, is needed.

In some cases, a user's recent activities may differ substantively from their historical activity, which ultimately indicates a change in pattern and more importantly, a possible security breach.

For example, an employee within an organisation's finance department (rightfully) has access to the file shares that store all the merger and acquisition (M-A) documentation. And over the course of the last nine months, the user visits the site on average twice per week and collectively downloaded three documents. However, over the past two weeks, the user visited the site every night after 9 p.m. and began downloading a massive amount of data.

While within the parameters of approved access, UBA would notice that the behaviour is anomalous – triggering further investigation from management and possibly even security. This is a simple example of how Behaviour Analytics, aka Iron Man, can be used to reduce security loopholes. But if you only had Iron Man's genius-level intellect and his powerful, armoured suit, it still wouldn't guarantee defeat against the likes of Loki or Ultron.

Identity Analytics (The Avengers)

As opposed to just tracking behaviour, Identity Analytics (The Avengers) approaches the issue from a different angle. It fully analyses and understands the entitlements a user should have vs. what they actually do have.

Simply understanding what entitlements a user has is not enough and any IAM product can report on those. What drives true value is the analytical component of understanding what entitlements a user has as it relates to the rest of the organisation, his or her peers, or even between organisations. This collective power translates into the ability to predict trends and behaviours, identify what may potentially happen, and make recommendations for corrective action.

Imagine an employee that previously worked in IT and ultimately decided to transition into the role of a pre-sales engineer. When the sales department uses traditional IAM tools to pull a list of “who has access to the pre-sales engineer SharePoint site,” this user would correctly show up.

However, what would not be apparent is the fact that this user is now one of the most powerful users in the organisation. What the report does not show is the entitlements that the user had as an IT professional had NOT been removed. This signifies that the user was never deprovisioned from their IT role, therefore the remaining, highly privileged access would increase potential security risks.

Identity Analytics would find an anomaly of this nature almost instantly by comparing this individual with others from the pre-sales department. Armed with this information, the security professionals would know where to begin their work of securing the organisation by removing the IT-related entitlements from this pre-sales engineer.

Beyond that, Identity Analytics can compare entitlements from one organisation to another. If you are in a bank with 3,000 users, an Identity Analytics tool could show that when compared to banks of similar size and location, your bank has twice as many people with elevated privileges; a security posture you may want to investigate.

Identity Analytics is a logical addition to an organisation's larger IAM arsenal. It's a solution that allows you to pre-empt bad behaviour and, accordingly, reduce your attack surface before an issue occurs.

It is, therefore, not about choosing one or the other. Any security-minded organisation needs the mightiest IAM heroes, in this case both Behaviour and Identity analytics, to combat the bad guy.