Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Is Your Identity and Access Management Out of Control?

Is Your Identity and Access Management Out of Control? (Part 1)

The answer depends on which controls you’re referring to.

Is Your Identity and Access Management Out of Control? (Part 1)

The answer depends on which controls you’re referring to.

In part one of this two-part series, we’ll see where you stack up on the question of whether your Identity and Access Management (IAM) is out of control.

If you are a fan of security controls, then you’re in luck, because there are plenty out there to choose from. There are those, such as the SANS Institute, who have attempted to rein in the proliferation of control models and guidelines from various institutes and agencies with their Critical Security Controls.

Identity and Access ManagementUltimately, it’s up to each organization to decide for themselves via coordination between the business, IT and auditors as to whether the controls that are in place are adequate. The SANS Critical Security Controls are helpful for security teams, but can prove challenging when trying to have a conversation between security teams, administrators, auditors and business managers who speak vastly different languages. Further complicating matters is the tendency of security professionals to view IAM as outside of the security domain.

Perhaps we can begin to answer the question of whether our IAM is out of control by agreeing that the lingua franca of security controls is their categorization as preventive, detective or corrective. Organizing controls using this ternary model provides a simpler means of communicating between the various constituents of controls, which is critical to addressing the question at hand.

Defining preventive and detective controls for IAM

Martin Kuppinger, founder and principal analyst at KuppingerCole Analysts, applies this simple ternary model of controls to IAM by explaining their evolution. In Kuppinger’s explanation, IAM has expanded from an original focus on preventive controls, where we manage users and entitlements in target systems, towards detective controls using Access Governance.

The access recertification process in Access Governance can provide a manual level of detecting improper entitlements, but because it carries the temptation of rubber-stamping by business managers and is time-bound (typically performed once annually), it can only be described as an incomplete detective control. User activity monitoring can round out detective IAM controls by recognizing unusual behavior associated with identities in near real-time.

But regardless of the detective control used, the question is how can we reduce the response time to detected anomalies, since they can be a signal of a breach?

The addition of corrective IAM controls

In the model Kuppinger lays out, he contends that the next logical step will be corrective IAM controls.

To be fair, we have manual corrective IAM controls in place already. For example, if a business user leaves a company, but one of her entitlements is missed in the revocation process, then we rely on the access recertification process to catch that, with the corrective control often being a ticket entered to revoke that access.

But what is envisioned with corrective IAM controls is far more automated – and necessary – in light of the growth in threats and the changing landscape of business technology to be more inclusive of partners, contractors and customers, accessing sensitive data in the cloud or via mobile devices. Dependence on manual processes will be insufficient for the speed of response and corrective action necessary to contend with expanding future threats and attack surfaces.

Part two of this series will expand upon the role of process automation in closing the loop between preventive, detective and corrective controls.

Evaluating IAM controls

So how does your organization stack up? Here are some specific questions to consider, organized by our ternary model:

Preventive IAM controls

1. Are least privileges enforced for access to sensitive information?

2. Are separation of duties maintained appropriate to information security policies?

3. Is there consistent and rapid revocation of entitlements when user changes occur?

Detective IAM controls

1. Is access certification accurately performed on a recurring basis?

2. Is privileged user activity monitored to encourage adherence to policy?

3. Is abnormal user activity flagged for follow-up?

Corrective IAM controls

1. Is access revoked in a timely manner when abuse of privileges or over-credentialing is detected?

2. Is access revocation performed consistently throughout the IT environment?

3. Is the process for the forensic gathering of evidence invoked when abuse of privileges is detected?

These are good starter questions, and that will likely lead to even more considerations with your business partners and auditors. IAM is sometimes forgotten in the discussion of controls. However, it’s best to have these conversations when planning and evaluating controls, rather than after a breach.

Read Part 2 of this series on process automation for corrective IAM controls.

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...


Identity and access governance vendor Saviynt has closed a $205 million financing round.