User behavior analytics give additional power to identity management and compliance. Identity management continues to fall into the top security efforts needed to protect information resources. However, traditional solutions rely on significant human analysis and management: analysis and management that result in high productivity costs for analysts and managers. And even then, deep understanding of identity behavior, compliance, and role requirements is often unattainable. New identity solutions, labeled in 2013 by Gartner as Identity Governance and Administration (IGA), help get the information we need to meet governance, risk, and compliance (GRC) challenges.[ ALSO ON CSO: The CSO identity management survival guide ]Most organizations seem to have a handle on identity management: create an identity, assign it to a role, give it a password, log access. This mostly works, but it doesn’t quickly identify outliers. It falls short detecting malicious behavior in process and mounting a quick, effective response.Role management challengesRole creation is often performed by business managers defining business processes and the roles that perform related tasks. It typically does not include looking at what and how users access and use information resources. This results in poorly defined roles, lost productivity, and frustrated users. Separation of duties (SoD) is an important outcome when managing identity. Preventing any role from performing all tasks associated with a business process helps prevent fraud and other malicious activities. It also helps identify mistakes. SoD enforcement usually begins with a matrix created by management, security, and internal audit. This team creates roles that, at least initially, look like they enforce SoD. However, this isn’t always the case. Further, changes to roles require the team to once again manually review all possible SoD violations.Once an organization creates roles, periodic recertification is required. Data owners must review each role and determine whether the access granted is still acceptable. This is time consuming and often haphazardly done. Data owners, usually department heads, have far too much to do; they can’t afford to spend hours going over roles that might actually span multiple teams and departments. Another problem with annual recertification is the period over which a changed role might have unwanted access. If a change is made soon after a recertification, the unwanted access will likely continue for a year.Users needing additional access to perform their jobs often need to wait an extended period after their managers submit a request. This is because the approval process requires certification by the data owner, even if the change poses little risk to the organization.Compliance and governanceInternal auditing is an important tool for confirming employees and security procedures continue to achieve expected GRC outcomes. However, auditors usually find themselves limited to spot checking samples. While this can provide much needed information, it fails to provide the overall state of compliance.We expect certain user behavior, but we don’t always get it: even when roles are clearly defined and enforced. What is the user trying to access, where is the user, what device is the user on, and what time is the access attempted? What is the frequency of attempts? Relying on logs, organizations must attempt to identify unwanted user behavior patterns that frequently fall outside tools like SIEM solutions. This includes understanding user behavior relative to employees and their peers.[ MORE: SIEM: 14 questions to ask before you buy ]Finally, GRC management often requires multiple, unintegrated tools for tracking behavior and roles across multiple applications and locations. This is particularly problematic when an organization relies on cloud services for sensitive data and critical system access. The solutionIGA solutions, like Saviynt, include both traditional identity administration and governance processes as depicted in Figure A. In the administration cycle, shown on the left, administrators work with data owners to create roles. They also create identities and assign them to roles associated with job titles. Further, data owners must recertify roles and approve job changes. IGA helps streamline these tasks.Figure AThe administration function provides user behavior information from the governance operations in the IGA solution: shown on the right in Figure A. Using this information, administrators and data owners can see the resources users within each role access every day, making it easier to create roles. When a user needs additional access, the IGA solution uses policies defined within it to determine whether the access is high risk (for example, violates separation of duties). If not, the change is immediately approved without the need for data owner intervention. High risk changes go into a workflow process for data owner approval. Auditors looking at access controls have a variety of reports to review. Some IGA solutions track all access across all resources at all locations: including the cloud. Waiting for annual recertification of access is eliminated. As noted above, all high risk changes are immediately sent to the data owner for review. Further, access granted to individuals that their peers do not have—or attempts by users to access resources not used daily by their peers—is flagged and the administrator alerted. Figure B shows a simple example of how this might work. Figure BAll members of each role should behave similarly, based on where they work, job title, and manager. For example, we expect a payroll clerk to access basic payroll functions. However, if the clerk attempts to access accounts payable or intellectual property resources, the administrator should be able to see and respond to the unexpected behavior. IGA solutions provide this capability.In addition to looking at user behavior across the information life cycle in Figure A, IGA solutions are valuable for performing forensics during or after a security incident. Reports include who accessed what, when, the device used, etc.TakeawaysTraditional identity management lacks tools to streamline approvals and governanceIGA solutions provide administrators and data owners with solutions that streamline and validate identity and role management tasksUser behavior analysis is built into IGA solutions, making auditing and forensics tasks easier and of greater Related content opinion MQTT is not evil, just not always secure The MQTT messaging protocol standard used by IoT vendors is not inherenly secure enough. Solutions exist to secure it, but organizations and vendors must assess risk and properly configure IoT and network security. By Tom Olzak Jul 17, 2017 3 mins Internet of Things opinion IoT messaging protocol is big security risk Popular IoT messaging protocol lacks encryption and sufficient device authentication security. By Tom Olzak Jul 14, 2017 3 mins Cloud Security Data and Information Security Internet of Things opinion Anatomy of an insider attack Manage insider attack risks with scenarios and application of common sense. By Tom Olzak Sep 30, 2016 4 mins Business Continuity Security opinion It's all about critical processes Focus on processes, not hardware and software silos. By Tom Olzak Jul 27, 2016 5 mins Critical Infrastructure Data and Information Security Network Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe