Today’s attackers are far more sophisticated than they were a decade ago. While some continue to use brute-force methods, many have shifted to hijacking insider credentials as a preferred method of breach. Security controls must include identity and access management (IAM) disciplines, as IT perimeters today are shifting towards access controls rather than relying solely on the perimeter technologies of the past.
In part one of this two-part series, we looked at the classification of IAM controls as either preventive, detective or corrective and provided specific self-evaluation questions for each. Here in part two, we will look more closely at the role of process automation for corrective IAM controls, as this is the least-mature component.
How process automation can help
Automation is best defined by a process when there are repeatable steps, allowing faster response and efficiency. There is a cost to building automation, and the return on that cost must first be considered.
Process automation needs at least three components; a trigger, a diagnosis, and an action or actions, each of which could each be automated if there is sufficient repeatability.
The process trigger can come from the access recertification process or user activity monitoring, in the case of corrective IAM controls. For example, if a user is demonstrating abnormal behavior by suddenly downloading large sensitive data files, most organizations would want that to be a trigger for an automated response that restricts that user’s access or, at least, alerts a security team. Complicating things, false alarms will trigger processes, though, and need to be considered. Including a manual step at the end of the diagnosis component can help with this.
Not every part of a process can, or should, be automated. For this reason, it is often advantageous to have a “man in the loop” to make decisions and keep automation from running amuck. Automating a bad process just makes things bad faster. But the machine-repeatable parts of a process can take on the heavy lifting of gathering supporting data so that a better-informed diagnosis can be made of the situation.
Done correctly, process automation can be used for triggering and diagnosing, with corrective actions presented as a menu of options for overworked security teams. Once a manual selection is made, the actions can then be automatically implemented. Full automation that skips manual diagnosis and goes right to temporary corrective actions should also be considered for the highest risk scenarios involving the most sensitive data. A rollback option can be used in this case if the situation is determined to be a false alarm.
Corrective actions in the context of IAM usually means revoking access, but not the identity in question. You will want to maintain a record of the identity for forensic work, which can also be automated, once the immediate risk has been addressed. This forensics work includes researching other activities of the identity through log reviews to determine if there is any additional damage.
The technology challenges
The technology to accomplish this is partially available in today’s IAM platforms that are capable of automated workflow execution, and have sufficient integration with enterprise systems and applications to revoke access when necessary. This can serve both the preventive and corrective roles. The detective role is provided by Access Governance and User Activity Monitoring technologies.
Once these foundational technologies are in place, then the next challenge is to define the process triggers, diagnosis and actions. Automation of these processes may require an IT Process Automation (ITPA) platform that integrates with and can command the other tools, and has the granularity to define steps that can be either manual or automated.
The ITPA platform must also be robust enough to handle the volume of events for potential triggers. If User Activity Monitoring is SIEM-based, then the ITPA platform must be capable of making trigger decisions faster than the event per second (EPS) throughput of the SIEM tool.
Completing the full circle of IAM controls
As I’ve written previously, today’s biggest security gap is identity. Security controls need to include IAM controls as a part of the program. Preventive IAM controls are the most mature component today, while organizations are just beginning to add detective IAM controls with Access Governance and User Activity Monitoring. Corrective controls in IAM complete the circle, as the corrective action of revoking access becomes the new preventive control. This closed-loop system is worth a funding investigation, as it has the potential to significantly reduce the risks presented by today’s threats.