Success in American college football requires a continuous recruiting process that demands continuous compliance oversight. The difference between IT departments that tend to focus on compliance once or twice a year, and the lifestyle of compliance that college athletics departments instill is covered in part 1 of this series.
From an Identity and Access Management (IAM) perspective, the critical IT compliance control is the access certification process. Once or twice a year, business managers must review their employee’s entitlements and certify that the access is necessary, as a measure to enforce the least privilege principle. Everyone hates doing it.
This part 2 focuses on how to take access certifications from a point-in-time, bureaucratic process, to one that actually reduces risk and is less burdensome for business users.
The turnovers: Two ways access certifications go wrong
Just like fumbles and interceptions derail a playbook plan, there are two ways that access certifications today are insufficient.
Imagine handing a football coach a clipboard with the names of all the team members in rows, a list of equipment they use in columns, and requiring an approval in each block. Most coaches would probably hand the task off to an assistant, who would mindlessly check each block and be done with it.
An ambitious assistant might create a giant rubber stamp with check marks, to reduce the inevitable hand cramping that occurs, when the process comes around six months later. And the time gap leaves oversize open windows of time for criminals to exploit.
The problems of giant rubber stamps and oversize open windows of time are the tragic flaws in today’s access certification regimes. It’s like trying to play football without offensive guards on the line – your opponent is going to exploit the gaps.
The playbook of the future has to include more context and become more adaptive to the constantly-changing conditions, just like a well-coached team.
The game film: Tackling the challenge of context
Football teams watch game film to provide context for what they will see on the field. For access certifications, context must address two concerns – making it easier for business managers, and more consequential to security. That context must be based on risk scoring.
Risk scoring comes from a number of sources of information, for example:
• The sensitivity of the information that a user has entitlements to
• The time between access attempts
• The combination of entitlements that a user has
Risk-scoring algorithms have been used for decades to identify financial fraud, such as credit card theft. The approach has similar goals – don’t unnecessarily disrupt users from using their credit cards, and reduce the loss from stolen cards.
In the world of IT compliance, risk scoring can be used to elevate the highest risk users and entitlements to the top of the list for more extensive review. Business managers can focus there, reducing their workload and simultaneously reducing risk, addressing the rubber-stamping problem.
The sky box: Observing your opponent’s activities
Most offensive coordinators call plays from a suite high in a stadium, where they can see what their opponent is doing and adapt plays accordingly. Both teams constantly change what they’re doing to gain an advantage. But imagine if the coordinators only looked in once or twice a game.
For access certifications, that is what is acceptable. And for good reason – business managers have far better things to do. What is needed is a way to automate the activity monitoring and escalate the high-risk activities for an immediate certification.
Specific risk triggers could include:
• Time of day
• Location of access
• Multiple access attempts from multiple locations
• Accessing multiple sensitive files simultaneously
Again, the fraud industry uses similar approaches, and we see adaptive authentication techniques used for step-up authentication when a user logs in from an unknown work station, for example. Why not have immediate adaptive certifications when the risk level justifies it, to address the oversize time windows?
Two point conversion: Risk scoring is at the core of solving both challenges
The good news is that both the rubber stamping and oversize time windows can be addressed with risk scoring. Using the context of fraud detection to provide risk scoring in access certification is where the next generation of access governance must evolve. That’s like lining up for an extra point and getting two points on the conversion.