Risk management is a five-step process that always starts with identification. It’s common sense; you have to determine what risks are involved before you can evaluate, prioritize, mitigate, and monitor them. With identity and access management (IAM), however, identifying risks can be a difficult process.
An enterprise with 1,000 employees and 25 IT systems that each have 10 levels of permission has a quarter of a million possible access combinations. As the size of the organization and complexity of the IT environment increases, the number of possibilities mushrooms. It seems impossible for IT to determine which access privileges constitute a threat to the organization, much less assess the potential impact of those threats and develop appropriate measures for addressing them.
On top of that, the granting of access permissions is not controlled by IT. An IT team might be responsible for the technical implementation of those permissions, but individuals in other departments decide which resources their users should have access to and the level of that access. Do the people making access decisions fully understand the risk implications of those decisions? Do they truly assess access requirements for each user or “rubber stamp” access privileges based on broadly defined groups?
Such questions help us see why automated tools have become essential to the identity risk management process. Data analytics can assign a risk “score” to various users, roles, and information resources by evaluating potential risk according to mathematical models and algorithms. Risk analysis tools can also provide visibility into the process for granting access permissions. This enables IT to quickly identify high-risk users and determine if their access privileges are justified and adequately controlled. IT personnel gain the insight they need to confer with access decision-makers and develop policies and processes for mitigating risk.
Identifying risk analysis should be performed at the following key risk points in the IAM process:
RSA Identity Governance incorporates risk analytics tools that provide visibility into the potential risks posed by access entitlements. Risk ratings can be applied to users, roles, information resources, or events, then tied to specific security controls. IT, compliance, audit, and risk management teams gain the metrics they need to make informed access decisions and mitigate or remediate risk.
Eliminating risk from IAM is impossible, but you can take steps to minimize that risk by using automated tools to assess the potential impact of access privileges. Clango’s experts can review your IAM policies and practices and help you leverage the analytics capabilities of RSA Identity Governance to gain actionable insight into access risk.
For more information about minimizing security risks with RSA Identity Governance, please send us an email at (firstname.lastname@example.org).