Blog

Identity Activity Monitoring

Share

 

For some time now, we have been talking about identity activity monitoring. I alluded to it in a previous blog post. I will elaborate on it here.

Earl Perkin's recent blog posting discussion about the intersection between IAM and Security Information and Event Management (SIEM) was very insightful in shaping up this blog post. Especially his statements that the "links between IAM and other disciplines within IT become better defined and richer."

What is Identity Activity Monitoring?

We define it as an approach to identity management by which the organization can gain visibility, albeit on a read-only basis, on what end users are doing within its IT environment by correlating various traces of activity related to these users. This correlation is predicated on the accuracy of the organization's mapping of different identity attributes across the various IT assets that are tracking activity, which in most cases will mean the accuracy and quality of your identity data or your user directory. The latter is a good predictor of your IAM program's effectiveness.

Identity activity monitoring, in most cases, provides a complementary [and non-abrasive] value to an existing IAM infrastructure. From a business standpoint, it enables organizations to derive value from existing "lazy" information assets such as application and system logs. Therefore, it is conceivable, and often advantageous, for an organization to start with an identity activity monitoring initiative before, after or even in parallel with an identity provisioning or access recertification initiative.

Identity Activity Monitoring and time-to-value in an IAM initiative

In working with our clients in various industry verticals, we see identity activity monitoring as a strong trend gaining momentum in the marketplace. It can accelerate their ability to meet compliance related objectives, and significantly mitigate insider security threats by leveraging information assets they already own, even if the controls for managing user access to systems is not automated. This translates into a higher time-to-value for an IAM initiative, which is one of the most important indicators in a successful IAM initiative: how long before you can realize value and meet meaningful business objectives. I will illustrate this point with two examples:

1. In our experience implementing provisioning solutions, our clients have been driven primarily by compliance-related requirements: enforce timely terminations, implement access recertification cycles for critical systems or applications, and streamline internal or external audit needs. Many of our clients' critical systems are either homegrown or legacy, which means that seldom does a commercially available IAM solution that can integrate (out of the box) with it exist, from either a provisioning or access control perspective. In most cases, this means that we need to develop a custom integration for those systems. In the worst case, it means accepting that the system will need to be managed manually from an IAM standpoint. Either way, additional time and effort are required in the IAM implementation process to account for the custom integration work, the change management process and the manual labor supplementation required to effectively reconcile and report on the identity-related activity in that critical system. An identity activity monitoring solution could shorten this time and provide an interim or permanent solution assuming that:
1. The critical system is able to produce logs regarding the user activity it sees.
2. The user directory has a 1-to-1 mapping between the unique identifiers within the critical system and the enterprise identity entry for an individual (i.e., the system's unique ID is kept in an attribute in the user directory entry), and
3. [Ideally] the critical system can log administrative-type operations (such a new account creation, account termination and privilege changes on an account); all of which are often very realistic assumptions. A solution could be implemented which harvests and correlates these logs and produce reports on on-boarding, termination and privilege assignment activity. Identity activity monitoring will help the organization meet their compliance requirements more quickly, meanwhile it devices a more permanent solution (if appropriate) for how to bring this critical system under IAM governance.
2. In the energy sector-especially in NERC CIP and FERC- we have identified a few use cases where identity activity monitoring is the most optimal (if not the only) way to meet specific requirements:
1. NERC CIP requirements around timely termination of access are, as of January 2010, enforced by financial penalties that can be up to one million US Dollars per day. The requirement is that your organization needs to demonstrate that they can terminate logical access to NERC-regulated systems within 24 hours of that access no longer being required (i.e., an employee termination). With identity activity monitoring, organizations can track activity through logs and report on termination events, even if the actual process of terminating the account is done manually. With this ability, it is possible to tackle more applications and demonstrate compliance much faster than deploying a de-provisioning IAM solution, which will require connectors to all NERC-regulated systems, many of which are legacy.
2. In the electric side of the energy sector, many organizations are involved in the generation, transmission, distribution and trading of power. FERC regulations require segregation of duty (SoD) - employees of one side of the business and the other should stay physically and logically separated, and that in the event of transfer, prior access (both physical and logical) needs to be removed immediately to avoid conflicts. This creates two distinct use cases for identity activity monitoring:
1. The ability to demonstrate and report that access to prior systems by the employee has been removed in a timely manner (even if done manually).
2. The ability to monitor physical access events and correlate them to logical access, such that if a user from one side of the business swipes an access card on a facility (referred to as "probing" in the NERC CIP requirements) on other side of the business. This event can be immediately captured, reported and acted upon. There is no practical way to achieve this in a traditional IAM system, as they rarely ever integrate with the Physical Access Control Systems (PACS).

There are a number of other use cases that identity activity monitoring can address, including:

• Monitoring and de-normalizing usage of shared accounts, especially in legacy systems.
• Measuring near real-time per user risk based on behavior, say based on role (trader vs. comptroller), status (user has given a 2-weeks resignation notice), time of day (Saturday at 2 AM local time), location (from home or at the office), etc. This risk could also be aggregated into a role or departmental level.
• Identifying potential fraud by correlating activity patterns (i.e. someone swipes a badge at a site, but is also accessing the network through VPN at nearly the same time).
• Catching possible SoD violations as they occur, even if they are supposed to be prevented.
• Detecting manual overrides by administrators of critical systems, which may go under the radar of an IAM reconciliation cycle, as they may occur only in short windows (i.e. hours).

Bottom line

Identity activity monitoring is an emerging, pragmatic approach to addressing IAM business objectives. After 12+ years in IAM, my conclusion is that most IAM solutions have been conceived from an optimistic, top-down perspective. That is: if everything works according the plan, and follows the established processes and procedures, then what the IAM solution reports should be accurate.

But in practice, this is never the case. There are always exceptions and manual overrides, and often "back doors" that may not be caught. Besides, IAM systems do not often touch or integrate with all critical systems.

Therefore, leveraging system level monitoring tools, which are conceived for pessimistic scenarios and have a bottoms-up approach provides, what in control theory and industrial process automation is referred to as a feedback loop (i.e. the sensor) to the IAM control (illustrated in the diagram below, which I borrowed from Wikipedia). This approach may prove cost effective, particularly if your organization is already collecting logs and has implemented a SIEM solution.