Improving access certification processes makes life easier for business users. But that’s not the point

When you do everything possible to make access certifications easier, you’re not just doing business users a favor. You’re improving the security posture of the entire organization.

Network World: IoT Hacks [slide-06] > Lateral Attacks > Network access via a single breach point
HYWARDS / Getty Images

Let’s face it: Nobody looks forward to access certifications. Not the business user who has to take a big chunk of time out of an already stretched schedule to go through every single user’s access privileges and confirm whether they’re correct. Not the internal audit team that has to play the bad guy and prod the business user to quit procrastinating and get the reviews done. And certainly not the CISO, who’s ultimately responsible for the organization’s security and compliance posture—knowing that for every business user who conscientiously and painstakingly examines each user’s access, there could be another who’s just checking boxes as fast as possible (and leaving behind unmitigated risks of inappropriate access for someone to come along and exploit).  

It’s probably safe to say the process for access certifications at any given organization isn’t making anyone particularly happy. That’s a big problem, and the reason it’s a big problem is that it creates a much bigger problem: the threat to security. When access certification reviews are as burdensome as they can sometimes be these days, business users may take shortcuts. When they take shortcuts, they create security gaps. And when they create security gaps, they leave the door open to every bad actor out there who is just waiting for a gap they can sneak through.  

When you take action to make access certification review easier, you reduce the burden on your business users, improve your ability to achieve compliance, and most importantly, become more effective at closing security gaps. You make it possible to achieve “access assurance,” or the confidence that a user’s access privileges are exactly as they should be, and that the organization is compliant and secure. But to get to that happy ending, we have to first look back at how access certifications got to be so challenging in the first place, then examine what can be done to make them reviews more effective—and thus make organizations more secure.

Where’s Waldo? Business users are overwhelmed by sheer numbers

Access certification processes were originally adopted largely in response to the need for organizations to attest to compliance with the Sarbanes-Oxley Act of 2002 (SOX). This mandate has companies creating annual certification processes to regularly attest that user’s access is appropriate. These annual (and sometimes more frequent) ceremonies were built on the principle that we needed managers to look at their employees’ access to gain the assurance their access privileges are appropriate to their jobs. After all, who better than an employee’s manager to know what the employee needs in order to be successful, right?

That makes sense, but here’s the problem: Now that we’ve moved beyond SOX-relevant applications and expanded the objective to achieving assurance that all of a user’s access is appropriate, we have a whole lot more information for managers to review, and not all of it is directly associated with their specific job. This has created what I call the “Where’s Waldo” approach to access assurance. We are putting a ton of information in front of a business user and sending them on a hunt for the bad stuff – not unlike looking for the proverbial needle in the haystack, or the Waldo in the crowd.

Sure, there’s been progress over time around making access certifications more manageable, especially with the shift years ago to defining roles into which users can be grouped. It imposes less of a burden if a business user only has to make one decision instead of 20, to be sure. But when you consider that in an organization of 100,000 people, there may be tens of thousands of roles, reviews can still require a tough, time-consuming effort—one that can take a toll on business users. Faced with the challenge of sifting through a mountain of data to identify and flag issues, reviewers may end up being less thorough than they should be.

Of course, nobody goes into access certifications intending to make a decision that’s going to put the entire organization at risk. But that’s exactly what can happen—in fact, I’d say it’s almost inevitable—when the process asks so much of business users who already have far more to do than time in which to do it. The careful examination of data that leads to confidently stating that everything is right gives way to a more cursory look that may instead end with less confidently noting that everything looks right and giving it a rubber stamp of approval.

The remedy for the risk lies in finding ways to make it faster and easier for business users to review access certifications accurately and efficiently.

The transformative power of data science, analytics and automation

There’s only so much that can be done with roles to reduce the amount of access data your business users must review and certify. As the number of users continues to proliferate and the status of their access privileges grows ever more complex, it becomes less and less useful to look at the problem through the lens of how much individuals can or cannot do. You’ll always run up against the limitations of human capabilities—not to mention the limited supply of patience people have. All the while, as the demands grow to the point of seeming insurmountable, and reviewers respond by letting more and more things fall through the cracks, the security risk that ensues will just continue to grow.

It’s time to step back and see the situation in a different way, with a view to how technology can be brought to bear on the problem. Data science, analytics and automation thus become indispensable tools in the quest for better security through more accurate and efficient access certification reviews. Today, it’s possible to use these tools to automatically isolate high-risk and low-risk access so that reviewers can quickly focus on potential problem areas (or to just as quickly turn their attention away from areas where there’s very little risk).

For example, what if access certification reviews begin with high-risk issues already flagged, drawing to the reviewer’s attention to any clear compliance violation, for example, or to instances of a user having access to a highly critical application? And conversely, what if low-risk areas are similarly indicated, so that the reviewer knows there’s little or no need to spend a lot of time combing through them? These are the first steps to providing more focus to reviews. But I contend we can go further.

Data science, analytics and automation can make it possible to identify and address access certification issues at a speed that transcends human limitations. Bringing that capability to access certifications applies the same principle that’s increasingly at work in fraud detection and cyber threat detection where sheer numbers can overwhelm manual efforts. For example:

  • In fraud detection, it’s necessary to analyze billions of credit card transactions in search of a few fraudulent ones. Validating each and every transaction is simply not possible; there will never be enough staff—or enough time—to do it in a timely manner. But data analytics can be used to identify irregular spending patterns and other activities that signal potential problems. Then, fraud analysts can focus their efforts on those problem areas.
  • In threat detection, the volume of cyber threats today makes it impractical for security analysts to look into every threat coming into an organization. But they can use technology to spot patterns indicative of problems. For example, suspicious activity on the network in and of itself may not amount to anything, but if it’s accompanied by malicious behavior on the laptop that initiated the network traffic, that may be a different story—one that bears further investigation by the analyst team.

When we apply these same concepts to how we ensure a user’s access is appropriate, we change the approach from a game of “Where’s Waldo” to a targeted consideration of specific issues. For example, we can ask the reviewer, “If your employee, Bill, is the only software developer in the company that has access to a particular production database, is that appropriate?” Credit card fraud detection has already adopted this to great effect: Where you may have once been told to go through every transaction on your monthly statement to see if any seem suspicious, you’re now getting a call from your card issuer asking if you really spent $35 yesterday on a train ticket to Bangladesh.

Data science opens up all kinds of new possibilities for helping organizations automate the access certification process. Armed with a variety of data science models to identify issues or patterns that need to be examined with additional context, organizations can uncover more effective approaches to finding the Waldos. A continuous feedback loop of “nope, not a Waldo” or “yep, definitely a Waldo!” can lead to data science techniques becoming more refined and detection systems getting smarter, much in the same way fraud detection has evolved so successfully over time. 

As more robust data science models make their way into access governance processes and technology, we will still have to satisfy our compliance objectives. But, that technology ultimately holds the promise of a more effective way to achieve access assurance. At the end of the day, that’s what really matters: reducing the security risk that unchecked inappropriate access creates.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline