• United States




Identity governance and admin: beyond basic access management

Aug 30, 20165 mins
ComplianceInvestigation and ForensicsSecurity

User behavior analytics give additional power to identity management and compliance.

Identity management continues to fall into the top security efforts needed to protect information resources. However, traditional solutions rely on significant human analysis and management: analysis and management that result in high productivity costs for analysts and managers. And even then, deep understanding of identity behavior, compliance, and role requirements is often unattainable. New identity solutions, labeled in 2013 by Gartner as Identity Governance and Administration (IGA), help get the information we need to meet governance, risk, and compliance (GRC) challenges.

[ ALSO ON CSO: The CSO identity management survival guide ]

Most organizations seem to have a handle on identity management: create an identity, assign it to a role, give it a password, log access. This mostly works, but it doesn’t quickly identify outliers. It falls short detecting malicious behavior in process and mounting a quick, effective response.

Role management challenges

Role creation is often performed by business managers defining business processes and the roles that perform related tasks. It typically does not include looking at what and how users access and use information resources. This results in poorly defined roles, lost productivity, and frustrated users.

Separation of duties (SoD) is an important outcome when managing identity.  Preventing any role from performing all tasks associated with a business process helps prevent fraud and other malicious activities. It also helps identify mistakes. SoD enforcement usually begins with a matrix created by management, security, and internal audit. This team creates roles that, at least initially, look like they enforce SoD.  However, this isn’t always the case. Further, changes to roles require the team to once again manually review all possible SoD violations.

Once an organization creates roles, periodic recertification is required. Data owners must review each role and determine whether the access granted is still acceptable.  This is time consuming and often haphazardly done. Data owners, usually department heads, have far too much to do; they can’t afford to spend hours going over roles that might actually span multiple teams and departments.

Another problem with annual recertification is the period over which a changed role might have unwanted access. If a change is made soon after a recertification, the unwanted access will likely continue for a year.

Users needing additional access to perform their jobs often need to wait an extended period after their managers submit a request. This is because the approval process requires certification by the data owner, even if the change poses little risk to the organization.

Compliance and governance

Internal auditing is an important tool for confirming employees and security procedures continue to achieve expected GRC outcomes. However, auditors usually find themselves limited to spot checking samples. While this can provide much needed information, it fails to provide the overall state of compliance.

We expect certain user behavior, but we don’t always get it: even when roles are clearly defined and enforced. What is the user trying to access, where is the user, what device is the user on, and what time is the access attempted? What is the frequency of attempts? Relying on logs, organizations must attempt to identify unwanted user behavior patterns that frequently fall outside tools like SIEM solutions. This includes understanding user behavior relative to employees and their peers.

[ MORE: SIEM: 14 questions to ask before you buy ]

Finally, GRC management often requires multiple, unintegrated tools for tracking behavior and roles across multiple applications and locations. This is particularly problematic when an organization relies on cloud services for sensitive data and critical system access.

The solution

IGA solutions, like Saviynt, include both traditional identity administration and governance processes as depicted in Figure A. In the administration cycle, shown on the left, administrators work with data owners to create roles. They also create identities and assign them to roles associated with job titles. Further, data owners must recertify roles and approve job changes. IGA helps streamline these tasks.

Figure A

The administration function provides user behavior information from the governance operations in the IGA solution: shown on the right in Figure A. Using this information, administrators and data owners can see the resources users within each role access every day, making it easier to create roles. When a user needs additional access, the IGA solution uses policies defined within it to determine whether the access is high risk (for example, violates separation of duties). If not, the change is immediately approved without the need for data owner intervention. High risk changes go into a workflow process for data owner approval. 

Auditors looking at access controls have a variety of reports to review. Some IGA solutions track all access across all resources at all locations: including the cloud.

Waiting for annual recertification of access is eliminated. As noted above, all high risk changes are immediately sent to the data owner for review. Further, access granted to individuals that their peers do not have—or attempts by users to access resources not used daily by their peers—is flagged and the administrator alerted. Figure B shows a simple example of how this might work. 

Figure B

All members of each role should behave similarly, based on where they work, job title, and manager. For example, we expect a payroll clerk to access basic payroll functions. However, if the clerk attempts to access accounts payable or intellectual property resources, the administrator should be able to see and respond to the unexpected behavior. IGA solutions provide this capability.

In addition to looking at user behavior across the information life cycle in Figure A, IGA solutions are valuable for performing forensics during or after a security incident.  Reports include who accessed what, when, the device used, etc.


  • Traditional identity management lacks tools to streamline approvals and governance
  • IGA solutions provide administrators and data owners with solutions that streamline and validate identity and role management tasks
  • User behavior analysis is built into IGA solutions, making auditing and forensics tasks easier and of greater

Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.