Connect with us

Hi, what are you looking for?


Identity & Access

IT Compliance Lessons from College Football Recruiting, Part 2

Success in American college football requires a continuous recruiting process that demands continuous compliance oversight.

Success in American college football requires a continuous recruiting process that demands continuous compliance oversight. The difference between IT departments that tend to focus on compliance once or twice a year, and the lifestyle of compliance that college athletics departments instill is covered in part 1 of this series.

From an Identity and Access Management (IAM) perspective, the critical IT compliance control is the access certification process. Once or twice a year, business managers must review their employee’s entitlements and certify that the access is necessary, as a measure to enforce the least privilege principle. Everyone hates doing it.

This part 2 focuses on how to take access certifications from a point-in-time, bureaucratic process, to one that actually reduces risk and is less burdensome for business users.


The turnovers: Two ways access certifications go wrong

Just like fumbles and interceptions derail a playbook plan, there are two ways that access certifications today are insufficient.

Imagine handing a football coach a clipboard with the names of all the team members in rows, a list of equipment they use in columns, and requiring an approval in each block. Most coaches would probably hand the task off to an assistant, who would mindlessly check each block and be done with it.

An ambitious assistant might create a giant rubber stamp with check marks, to reduce the inevitable hand cramping that occurs, when the process comes around six months later. And the time gap leaves oversize open windows of time for criminals to exploit.

Advertisement. Scroll to continue reading.

The problems of giant rubber stamps and oversize open windows of time are the tragic flaws in today’s access certification regimes. It’s like trying to play football without offensive guards on the line – your opponent is going to exploit the gaps.

The playbook of the future has to include more context and become more adaptive to the constantly-changing conditions, just like a well-coached team.

The game film: Tackling the challenge of context

Football teams watch game film to provide context for what they will see on the field. For access certifications, context must address two concerns – making it easier for business managers, and more consequential to security. That context must be based on risk scoring.

Risk scoring comes from a number of sources of information, for example:

• The sensitivity of the information that a user has entitlements to

• The time between access attempts

• The combination of entitlements that a user has

Risk-scoring algorithms have been used for decades to identify financial fraud, such as credit card theft. The approach has similar goals – don’t unnecessarily disrupt users from using their credit cards, and reduce the loss from stolen cards.

In the world of IT compliance, risk scoring can be used to elevate the highest risk users and entitlements to the top of the list for more extensive review. Business managers can focus there, reducing their workload and simultaneously reducing risk, addressing the rubber-stamping problem.

The sky box: Observing your opponent’s activities

Most offensive coordinators call plays from a suite high in a stadium, where they can see what their opponent is doing and adapt plays accordingly. Both teams constantly change what they’re doing to gain an advantage. But imagine if the coordinators only looked in once or twice a game.

For access certifications, that is what is acceptable. And for good reason – business managers have far better things to do. What is needed is a way to automate the activity monitoring and escalate the high-risk activities for an immediate certification.

Specific risk triggers could include:

• Time of day

• Location of access

• Multiple access attempts from multiple locations

• Accessing multiple sensitive files simultaneously

Again, the fraud industry uses similar approaches, and we see adaptive authentication techniques used for step-up authentication when a user logs in from an unknown work station, for example. Why not have immediate adaptive certifications when the risk level justifies it, to address the oversize time windows?

Two point conversion: Risk scoring is at the core of solving both challenges

The good news is that both the rubber stamping and oversize time windows can be addressed with risk scoring. Using the context of fraud detection to provide risk scoring in access certification is where the next generation of access governance must evolve. That’s like lining up for an extra point and getting two points on the conversion.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.