Why Risk Analytics Is an Essential Component of Modern Identity Management


Risk management is a five-step process that always starts with identification. It’s common sense; you have to determine what risks are involved before you can evaluate, prioritize, mitigate, and monitor them. With identity and access management (IAM), however, identifying risks can be a difficult process.

An enterprise with 1,000 employees and 25 IT systems that each have 10 levels of permission has a quarter of a million possible access combinations. As the size of the organization and complexity of the IT environment increases, the number of possibilities mushrooms. It seems impossible for IT to determine which access privileges constitute a threat to the organization, much less assess the potential impact of those threats and develop appropriate measures for addressing them.

On top of that, the granting of access permissions is not controlled by IT. An IT team might be responsible for the technical implementation of those permissions, but individuals in other departments decide which resources their users should have access to and the level of that access. Do the people making access decisions fully understand the risk implications of those decisions? Do they truly assess access requirements for each user or “rubber stamp” access privileges based on broadly defined groups?

Such questions help us see why automated tools have become essential to the identity risk management process. Data analytics can assign a risk “score” to various users, roles, and information resources by evaluating potential risk according to mathematical models and algorithms. Risk analysis tools can also provide visibility into the process for granting access permissions. This enables IT to quickly identify high-risk users and determine if their access privileges are justified and adequately controlled. IT personnel gain the insight they need to confer with access decision-makers and develop policies and processes for mitigating risk.

Identifying risk analysis should be performed at the following key risk points in the IAM process:

  • Onboarding of new users, role changes, and access reviews. Risk analysis helps ensure the principle of least privilege access is applied uniformly across an environment, and excess privileges are granted based on reasonable business requirements.
  • IT infrastructure changes such as new application rollouts, system upgrades, and cloud adoption. Risk analysis helps decision-makers determine what access is required so IT can provision users.
  • Business changes such as mergers and acquisitions, reorganizations, and new partnerships. Risk analysis makes it easier to develop new roles and quickly identify access privileges that fail to meet new criteria.

RSA Identity Governance incorporates risk analytics tools that provide visibility into the potential risks posed by access entitlements. Risk ratings can be applied to users, roles, information resources, or events, then tied to specific security controls. IT, compliance, audit, and risk management teams gain the metrics they need to make informed access decisions and mitigate or remediate risk.

Eliminating risk from IAM is impossible, but you can take steps to minimize that risk by using automated tools to assess the potential impact of access privileges. Clango’s experts can review your IAM policies and practices and help you leverage the analytics capabilities of RSA Identity Governance to gain actionable insight into access risk.


For more information about minimizing security risks with RSA Identity Governance, please send us an email at (

Comments Closed.