BlogImage-Behavior-Driven-Gvernance

Identity and Access Management (IAM) in most organizations is typically provided by Access Management, Privileged Access Management (PAM) and Identity Governance and Administration (IGA) solutions. Unfortunately, many of these solutions work independently in silos, and efforts to integrate them to work together can be patchwork at best. Even if each pillar across Access Management, PAM and IGA work flawlessly independently, there’s still plenty of opportunity for bad actors to exploit the gaps between them to gain access to critical systems. Integrating these solutions can result in increased identity security effectiveness.

Let’s talk through an example use case of how gaps in Access Management and IGA tools can manifest.

Example Use Case: Zoom

The transition to work-from-home and remote learning led to an explosion in growth for Zoom. To end users, Zoom is just an application. However, Zoom offers a selection of three user roles that can apply to an account:

  • Owner: Has all privileges that include role management
  • Admin: Can add, remove or edit users, as well as manage advanced features, such as API, SSO, Billing, Meeting Connector and App Marketplace
  • Members: Have no administrative privileges and can only adjust their own user settings, unless locked by an admin at the Account or Group level settings

For organizations that use Access Management solutions, that means users have, at minimum:

  • An account with the Access Management system
  • The Zoom app assigned to the account, likely via a role (an entitlement)
  • A Zoom account
  • The correct role assignment for their user type in Zoom (an entitlement)
  • A license for the Zoom account

As in-office work and in-person learning have resumed, Zoom usage within many organizations has decreased.

Access Management solutions don’t typically govern the Zoom account, or the entitlements applied, whether it’s roles, group memberships or license status for the account. Typically, this is handled by an IGA solution.

As a result, the Access Management solution will continue doing its job controlling user authentication, while the IGA tool will continue to give users least privilege access based on their role.

However, if a user is no longer using Zoom—or any other application for that matter—they will continue to have access to that application, even if they’re no longer actively using it.

Permissions and continued access to Zoom after it’s no longer used—on the whole—may seem to be low stakes at first. However, at the end of the day, risk is not only represented by that unused Zoom account. It’s also present in that Active Directory account with group memberships associated with that user and the role membership and licensing in an IGA tool. Altogether, 10-12 distinct items associated with a user typically are governed independently by disparate solutions.

The main problem

Your IGA system has done a great job of provisioning access to users according to their specified roles and has maintained that governance with set and required policies. However, how is an IGA team equipped to know if access to a particular application is required at any given point in time? Is the least possible amount of privilege actually assigned to each user role? By itself, an IGA system will not know the last time a user used an application.

This lapse leaves a big gap between the privileges a user is issued versus what they need to perform their job.

What are the implications when applying that assessment of risk and vulnerabilities across an organization? What other applications have fallen out of use by users who still have accounts that are used daily by others? For example, external partners or vendors who have been granted access to a proprietary internal application. What dormant accounts exist on those applications or target systems that could be potentially exploited through their vulnerabilities?

The serious pitfalls that come with siloed Access Management and IGA

It’s clear that the silos that exist between Access Management and IGA solutions result in a few key pitfalls:

  • No correlated access
    • Across all of these tools, how will all systems know if a user’s access is actually still required? Is the current level of access assigned in your IGA system the least possible amount of privilege assigned to a user? By itself, an IGA system will not know when a user last logged in to an application, or to revoke access if a user hasn’t logged in in the last 90 days
  • Time-consuming application recertification
    • Whether driven by an audit or regular role and privilege evaluations, every organization will need to establish whether or not users have appropriate access levels assigned across applications to adhere to compliance and regulation policies and maintain the integrity of enterprise information. Recertification can be incredibly time consuming and resource intensive
  • Increased licensing costs
    • User seats for software and applications aren’t free. Budget is associated with every user and application used. Under-utilized applications with lots of users or applications where users no longer need access increase overall licensing costs
  • Exposure to standing user privileges
    • Users with standing privileges—especially those with high-level privileges—can pose a serious risk to a business. If individuals with standing privileges are compromised, bad actors can often use those privileges to quickly move to exploit to other applications
  • The information you already have is useless and impractical to apply
    • Access Management and IGA solutions collect and store an abundant amount of data on users. While that information may be useful within the context of each individual tool, trying to cross-reference that data from one tool to another is time consuming and impractical

Using Behavior-Driven Governance to integrate Access Management and IGA

Behavior-Driven Governance (BDG) allows organizations with Access Management and IGA solutions to implement policies to recommend or automatically remove unnecessary entitlements and accounts from users based on how those entitlements and accounts are being used.

For example, event data (like application access frequency) can be correlated to associated accounts and entitlements. From there, attestation can be directed to a user’s manager or other responsible party to give them an opportunity to revoke access that may not be needed due to a lack of application use.

Alternatively, unnecessary access can automatically be revoked if a user fails to meet set criteria.

The benefits of Behavior-Driven Governance

Behavior-Driven Governance combines the power of Access Management and IGA to deliver key benefits:

  • Enhanced visibility and governance
    • Rather than governing users and identities through two separate systems, Behavior-Driven Governance allows organizations to monitor application usage and apply policies based on usage behavior. As a result, entitlements are managed through adaptive policies and real-world identity behavior metrics that allow organizations to govern both Access Management and IGA tools as a unit
  • Lower costs
    • By having a comprehensive view of usage and activity, it’s a much simpler task to determine which licenses and user seats aren’t being used. Organizations can then recover the cost of unused licenses and lower the overall identity administrative burden
  • Stronger compliance
    • Inconsistent governance is a continual red flag for compliance. With Behavior-Driven Governance, the ability to consistently meet audit requirements by ensuring only needed entitlements are granted makes compliance much more attainable across an enterprise
  • Increased security
    • Removing unused accounts and entitlements from users reduces the overall risks that standing privileges can pose, and in turn, increase an organization’s overall security posture

Organizations must consider where potential gaps and silos between Access Management and IGA tools may present issues and vulnerabilities. Are there applications in your organizational ecosystem where, even if access permissions are granted to users because of their roles, their usage would indicate that they likely don’t need those permissions anymore?

Enhanced visibility, insight and improved controls with Behavior-Driven Governance is a crucial steppingstone to maintaining least privilege and enhancing an organization’s overall security posture.

View how One Identity’s Behavior Driven Governance works by watching this brief webcast.

About the Author

Josh Karnes

Josh came to One Identity in 2021 from SailPoint, where he started in the identity business in 2014 by joining their product team to work on their emerging cloud product line. As a former engineer, he’s a curious and habitual innovator, having collected seven patents throughout his eclectic career beginning in the early 90s. He contributed to technologies we all use every day, like touch screens, broadband networking, and even lightning protection and time synchronization for networks. He’s also a pretty good guitar player, and not a half bad motorcycle mechanic.