We all know by now that granting access to our sensitive applications introduces all sorts of "what-ifs" in an organization. What if my accounts payable admin, disgruntled and upset, decides to abuse her access to my payment system to funnel funds outside of the company? Or what if she decides to plug in her USB and infect the payroll system with a malicious executable?
Proactively managing access is a serious problem. Silo'd organizations make it difficult for the Identity & Access Management (IAM) team to maintain contact with the line of business and get context around what applications are used for. When the IAM team is tasked with creating access policies, they fail to reach out to the right business owners to understand what entitlements matter, and which ones don't. Even more difficult is the task of understanding access at a transactional level, i.e., if I give my users access to a specific set of entitlements, does it make them riskier to my business than if they had another set of entitlements? Actually, what does my business even look like?
Organizations must employ a hybrid approach to managing access risk, soliciting feedback from the line of business to understand both from a bottom-up and top-down method how access is used, and how this access aligns to critical business processes. Context is key in IAM. When we have context, we can govern the way our business operates. Consider taking a GRC approach to managing IAM processes:
- Know your business (KYB). Catalogue all your business processes, understand the key players in these processes, and make them your point-of-contact for business context. Capture business process criticality and ask yourself, what would happen if this business process stopped working? If the answer is catastrophic loss (financial or reputational), your process is critical to your business.
- Know what applications support what processes. The applications, assets and systems that support your processes are key to your business. Technology is not an inhibitor anymore, it's a key component of business continuity.
- Know what entitlements are available in your applications. Capture entitlement information through IAM. Intelligently engage the line of business to capture context of how these entitlements are used. Are they risky? How much money do they move? If abused, how much financial impact could result? This is your inherent risk, and without proper controls, your inherent risk is your reality. Perform a gap analysis and get buy-in from the line of business - their feedback and engagement is critical in protecting your enterprise.
- Roll up your risk metrics. Capture risk holistically and employ algorithm-based risk calculation. Automate this process, so that when something changes, you don't have to figure out where to change the math.
- Use roles, and use them to drive policies. Application roles are key, but enterprise roles include application roles in a broader context. Roles should be further contextualized to understand high risk roles vs. low risk roles; granting sensitive, high-risk entitlements to an accounts payable admin must be in conflict with high-risk entitlements granted to an accounts receivable admin.
- Perform continuous monitoring. Dynamically adjust access reviews to trigger based on risk of users. High risk users should be monitored more often than low risk users. Risk should be a function of not only access, but also what function in the business the user supports.
- Use IAM foundations to mitigate cyber threat. By knowing what applications are important and who your users are, incidents occuring on these application can be prioritized intelligently. Leverage all the enterprise and IAM information to drive SOC operations in a way like never before. Empower your analysts to know if an account has been compromised, if the account was orphaned, and how to remediate the account quickly.
Here's the thing - knowledge is power. The same goes when it comes to understanding risk. By proactively managing the enterprise, it is possible to shorten our reactive remediation efforts. We all prepare ourselves to respond when something happens, but focusing on effectively mitigating cyber and access risks proactively and not only lessens the number of incidents we face, it also is key for business sustainability.