How to be compliant with Intelligent IAM

Posted by Steve Morin -Director, Product Management on Thu, May 19, 2016

A great deal of time and effort can be saved during management reviews and audits by using an Intelligent IAM solution to provide reports, including filtering and drill-down capabilities, trend information, and data visualization tools. These not only give managers a high-level view of progress toward goals (such as eliminating orphaned accounts and policy violations), but also they can show auditors that efforts have been made  to address  high-risk  issues, such  as monitoring access to the most sensitive data stores and controlling the entitlements  given  to privileged users. Here are a few other ways that using an Intelligent IAM solution can impact your goal of true compliance:

Continuous Improvement of Provisioning and Governance

Most users of Intelligent IAM solutions focus on the immediate benefits provided by continuous monitoring, rapid response to immediate threats, and tools to analyze risks, patterns, and trends.  But organizations shouldn't overlook the importance of strengthening their investment in existing IAM systems.increase_efficiencies_small.png

Intelligent IAM can support the continuous improvement of account provisioning, governance, and other IAM processes. By providing visibility to key areas of access risk, organizations can immediately respond and take action by either doing a microcertification to fully inspect suspect access or take a deprovisioning action against a known violation. While having a fixed schedule for access reviews is important to ensure compliance, enabling continuous reviews as and when risks become visible ensures best practice governance that continuously improves and enables a more efficient provisioning and compliance process.

Reducing over-provisioning and under-provisioning

Over-provisioning and under-provisioning are occupational hazards for everyone who defines and manages roles. Over­ provisioning creates security vulnerabilities by granting unnecessary entitlements to a role. Often this comes about when a single individual with unique needs requests new access levels or entitlements that are then assigned to the role rather than to the individual, and the entitlements are mistakenly given to everyone in that role. This potenreduce_cost_small.pngtially leads to everyone in the role being over-provisioned creating an access risk and circumvents a Least Privilege Model, which should be a best practice.

Under-provisioning occurs when an entitlement that’s genuinely needed for a role isn't assigned, forcing all or most people in the role to request that entitlement on an exception basis. This is a drag on the productivity of the employees and of the managers and resource owners who must repetitively review and approve their ad-hoc requests.

Intelligent IAM helps people who define and manage roles reduce over-provisioning and under-provisioning. With a few clicks, they can determine the following:

  • Which entitlements are rarely or never used by current members of a role, so those entitlements can be removed from the role
  • Which entitlements are frequently or always requested by members in a role , so those entitlement s can be added to  the role
  • Which individuals have excessive entitlements compared with others in the role, so the behavior of those individuals can be examined and the individuals can be assigned to more appropriate roles

Activity related information, such as last login and last transactions executed, also provides insight into whether rights are really needed. For example, if a resource hasn't been accessed for three months, there's a strong chance it's not required for that individual or others in the same role.

Closing the Governance Gap with Continuous Monitoring

Organizations have blind spots when it comes to violations of security and privacy rules. Account provisioning systems provide users with appropriate access to corporate resources when they join a company or change roles. However, changes and exceptions to rules and roles over time introduce excessive rights for individuals, leading to policy violations and access-related vulnerabilities. In many organizations, access permissions are gracompliance_governance_small.pngnted outside of approved provisioning processes. An example would be when application or database administrators grant access rights based on direct requests from a user.

Organizations should run periodic certifications asking managers to verify that existing access rights for their subordinates are necessary and appropriate. Unfortunately, busy managers often treat these as "rubber stamp" exercises. They don’t take the time to review each entitlement and consider its implications. In many cases, they lack the knowledge and tools to identify policy violations. In other cases, the sheer volume that needs to be reviewed is so overwhelming, reviewers are not thoroughly reviewing access during the certification review.

An Intelligent IAM solution can address these problems by providing not only the prevention on the front end but also continuous monitoring of identity and access-related data and events throughout the life of the user. Violations can be identified as soon as they occur (see Figure 3-2). Changes made outside approved provisioning processes can be flagged and reviewed. Data can be correlated to pinpoint Segregation of Duties (SoD) violations and other complex policy violations before they can be exploited.

Preventing Policreduce_threat_surface_small.pngy Violations at the Point of Origin

Even with an advanced account provisioning system, managers and resource owners find it very difficult to identify SoD and other policy violations.

An Intelligent IAM solution can be integrated with a provisioning system to flag potential policy violations at the time an access request is being reviewed. It can also give the reviewing manager or resource owner tools to drill down and look at the recipient's current entitlements and those of his or her peers, to determine if the request is necessary and appropriate. It's far less work to prevent a policy violation at the point of origin than to find it during a large-scale certification (or through a security breach).

In the near future, intelligent IAM solutions may be able to improve provisioning decisions by supplying recommendations based on real-time risk scoring. This would allow decisions to be made based on the risk profile of the enterprise, users, applications, and resource at the time of provisioning.

One example of such "intelligent provisioning" would be to set up three workflows so that


  • Low-risk access requests (as determined by the organization in the IAM solution) are granted automatically without requiring the attention of a manager.
  • Medium-risk requests are sent by the provisioning system to a manager for approval.
  • High-risk requests require approval by a manager and escalation to a higher level executive for final approval.


With changing policies, regulations, access, and more, it is hard to keep up with the trillions of relationships that happen within an organization on any given day.  With an Intelligent IAM solution, adapting to these advancements is considerably more effective and straightforward. By allowing managers to have increased visibility of the tasks, goals, and issues at hand, an Intelligent IAM Solution allows for both better efficiency and productivity within the company. By enabling continuous reviews, an intelligent solution guarantees that high-risk situations can be monitored and corrected using immediate precautions. This solution helps reassure that all audits are successfully organized by providing reports, including filtering and drill-down capabilities, trend information, and data visualization tools. Not only will an Intelligent IAM solution help you pass your audit but it will put your organization on the path to true compliance.

Want to learn more about how intelligence can impact your organizations approach to compliance? Download our new eBook Improving IAM with Intelligence for more information or schedule a demo to see Access Insight 9 at work. 

Tags: access compliance, access rights, Access Insight, access risk, compliance

Why Deleting Security Groups Doesn't Have to be Scary

Posted by Ashley Sims - Marketing Manager on Thu, May 12, 2016


A few months ago our very own Chris "Sully" Sullivan, GM- Analytics/Intelligence, delivered a speech to the Gartner Identity and Access Management Summit to a group of IAM ninjas in London. Confession - I love hearing Sully speak. I always learn something and I love seeing the crowd as they learn these things along with me. However, at this event I was actually more surprised than usual at the response that he got when he asked the simple question "how many people here delete security groups?"


You might as well have asked them if they would be willing to donate a kidney to a stranger or forgot their cell phone at home that morning. Needless to say, most everyone sort of looked at Sully like he was crazy which was exactly what he was going for.


The reason, he explained, that no one deletes these groups is because they can't tell what is in them. Can you imagine deleting a group because you thought no one needed it and it turns out that you just shut off your CEO's access to an application that he/she uses daily? Not a good look for the security team.


Sully's point for the presentation was that now, with access intelligence, you no longer need to be afraid of deleting these groups and cleaning up your network because you can finally drill down into these security groups and understand exactly what is at stake. The primary reason companies are loath to delete security groups in Active Directory is because they simply don’t understand the complexity of access such as how access is granted, nested entitlements, and direct versus indirect assignment of access.


All businesses, regardless of industry, are faced with an exploding universe of identities, devices and data that employees require to do their job. The expanded use of mobile and cloud devices, along with non-employee and transitional employee access means that risk management and compliance is extending far beyond traditional enterprise limits. This can equate to trillions of access relationships that put your company at risk. How are you supposed to see into all of these relationships and understand the risks they pose?


With actionable intelligence through Access Insight 9.0 you get a comprehensive and continuous view and analysis of these trillions of relationships between identities, access rights, policies, resources, and activities. Our analytics engine pulls in these large amounts of identity and access data and stores them in its proprietary in-memory access analytics engine. The "engine" correlates relationships that exist between user identities and their fine-grained access within an organization. These analytics identify potential risk in a current and historical perspective in lines of business, governance, operations and applications.


For example, our Access Explorer builds every Active Directory Group out in a spider diagram so that you can see AI_Spider.pngwhose access is connected and where your privileged accounts are linked to. 


Not only can you drill down into these details but our analytics provide the ability to analyze large amounts of identity and access data against policy and company defined models of activity patterns. This gives you the ability to personalize policies for your organization and with any change in these policies you can be immediately notified at any signal of dishonest or malicious behavior. Imagine having a solution that would automatically alert you and require a micro-certification when an account had access to do more than you believe it should?


It's time to start using all of this collected data to our advantage. It's time to start looking at our access relationships and prioritizing the risks our organization faces. Weather you have an Identity and AI9_Access_Risk__300x2506.jpgAccess Management solution or are working within your Active Directory, Access Insight can put your data to work for you.


Want to see how this looks within your organization? Request a demo of our Access Insight solution and see how actionable intelligence can help prioritize risk and transform your organization's security.


Tags: access rights, Access Insight, access risk, intelligent IAM, identity and access governance, Identity & access management, intelligent identity and access governance, intelligent identity and access management

Checklist for a Vulnerability and Risk Management Solution

Posted by Felicia Thomas on Thu, Mar 10, 2016

Tags: access rights, access risk, identity and access management, Identity & access management, vulnerability management, vulnerability risk management, vulnerability, Vulnerability and access risk management, VARM

Big Data Volume, Variety and Velocity Drives Need for Intelligence

Posted by Vikram Chellappa - Sales Engineer on Mon, Mar 10, 2014

Vikram ChellappaThe 3 V’s (Volume, Variety and Velocity) of Big Data have become more relevant in the complex world of Identity and Access Management than ever before. In the midst of dealing with the high volume, variety and velocity of information, organizations not only have to streamline the process of how access is granted and revoked and ensure a high level of productivity, but they also have to reduce risks and maintain high security standards.

Volume: Data seems to be around forever. Many organizations still use data that was created 15 years ago or more. Considering that there is so much information from applications and systems that have been around for a long time, do organizations have all of the information they need? Has the need for new information diminished? The obvious answer to both of these questions is No! In fact it is quite the opposite. The amount of new information has increased exponentially and many if not most organizations have petabytes of information in storage.

Variety: Very few organizations have a single platform, a single source or a single format for information. Operating systems, directories, databases, applications and unstructured data sources such as file shares, social media feed such as Linked-in Facebook, and Twitter all form sources and destinations for information. Each system processes Information in a variety of formats such as text files, word documents, presentations, images, videos, or messages.

Velocity: The popularity of mobile devices and the explosion of social media have completely changed the way we obtain and consume information. Information is available to us at our fingertips and organizations are increasingly providing their employees with mobile capabilities. 

All of these elements present a very challenging situation for organizations. It has become increasingly difficult to answer questions such as3 Vs of Big Data

– Who has access to applications and what level of access do they have?

– Do the right people have the right level of access?

– What information is being accessed and who is accessing it?

– What are the riskiest applications?

These are just a few examples of the types of questions that organizations seek answers for. But the factors already discussed in this post have made it extremely difficult, if not impossible, to manually find answers to these questions. Organizations struggle to get a handle on what causes risk and to act upon those risk factors in a timely fashion.

The key is to be able to harness relevant information such as identities, policies, and access rights from any data source, analyze the information obtained and embed the intelligence gained thereof in provisioning, de-provisioning and compliance reviews. Information on privileged accounts, abandoned accounts, orphaned accounts, users who have excessive access when compared to their job role or their peers; unused entitlements, riskiest applications and policy violations are some examples of information that needs to be analyzed to effectively implement a secure, robust and an intelligent IAM solution.

Tags: privileged, access rights, access, policies, Vikram, identities, big identity data, Identity and access intelligence, entitlements, big data, compliance, identity and access management, data, Chellappa, orphan accounts, accounts

Routine Maintenance Recommended

Posted by Doug Mow on Mon, Aug 12, 2013

Doug Mow, CMOThe United States Attorney for the District of New Jersey recently announced indictments against five men who executed a carefully calculated hacking scheme that saw more than 160 million U.S. and foreign credit card numbers stolen. The data breach was the largest known to date in the United States. Thank goodness we caught the bad guys, right? Sure, but how could we have caught this before the damage was done?

According to this article, the perpetrators used several ways to avoid detection, including using a web-hosting service that did not track (their) user identities or report (their) user activity to law enforcement officials. And as is the case in many breaches today, the perpetrators changed settings on the target networks so they could disable security mechanisms and used malware to get around the security software in place.

Could a more intelligent IAM solution, which could proactively check users’ identities and their access rights to resources, and which can monitor the activities of users with an eye toward abnormal behavior, have detected these digital henchmen earlier, mitigating the full deleterious effect of this breach?

Like many habits in life, like regularly changing your oil, the payoff is down the road in the end result of a car with 100,000 miles. Similarly, the work of onChecking Under the Hoodgoing preventative maintenance on your enterprise infrastructure may not be convenient, but is probably worth it, unless you want to avoid the corporate equivalent of engine malfunction and expensive repairs – a massive data breach.

Access Insight helps you maintain compliance not just once a year, but everyday. And just like the routine preventative maintenance recommended for your car, you might find that good habits all year long result in reducing the risks that lead to breaches, and offer the added benefit of streamlined certifications.

Does your company need to meet PCI compliance regulations? Consider whether Courion Access Risk Management Suite can help can help you avoid the IT equivalent of engine failure.

Tags: access rights, access risk management suite, identity management, access risk, data breach, hacker, identity and access governance

The Problem with Privileges

Posted by Marc Lee - Director of EMEA Sales on Mon, Jul 29, 2013

Marc LeeRecent articles have lifted the lid on how Facebook customer support staff had access to any Facebook user and all their messages and data. While Facebook confirmed this has now stopped and internal user access is more restricted, the story shines a strong spotlight on the risks from privileged internal users. Indeed, according to the 2013 Verizon Data Breach Investigation Report, 13 percent of intrusions result from the misuse of information by privileged users.

In large companies with numerous intricate internal structures, it is difficult to monitor which access rights have been modified, granted or terminated, leaving the organisation exposed to security risks.

There are many aspects of an organisation’s infrastructure that can leave sensitive data exposed and vulnerable. Onboarding a new customer or employee, promoting a staff member, terminating a contractor, merging companies or departments, or delivering a new product, all require access to sensitive and potentially confidential information.

Organisations need to employ effective access risk management strategies to enable user access provisions to be easily modified in accordance with internal changes. What’s needed is real time access intelligence that enables an organisation to monitor how sensitive data is being accessed and used, so that the business is able to identify where the greatest vulnerabilities lie.Facebook Privacy Settings

By analysing user access rights and the associated risk on a continuous basis, organisations like Facebook can identify suspicious behaviour patterns to expose threats to user privacy. Instead of periodic reviews once a quarter or every twelve months, organisations need to keep pace with the actual frequency of internal changes. This will ensure compliance with regulatory standards and complete transparency into access privileges. This, together with an automated enforcement of data governance policies, could significantly mitigate the risk of data misuse.

Real-time monitoring and assessment of risk and automated access provisioning and access certification provide organisations with the tools to mitigate access risk more effectively. What’s more, as soon as the system detects inappropriate access or unauthorised user behaviour, these IAM tools allow IT and business managers to easily modify or delete user entitlements that pose security risk.

All the above becomes a supreme case for real time access risk analytics. This approach will enable organisations like Facebook to pinpoint where the greatest access risk lies and equip them with the right tools to mitigate those risks to prevent damage.

Tags: access rights, access governance, privacy, privileges

Why the Names Snowden and Manning Should Resonate with IT Security

Posted by John Verner on Mon, Jul 15, 2013

John VernerThe case of Edward Snowden illuminates a lot of different questions.  None more pressing than “Why would someone set out to do that?” It makes us really dwell on what people are capable of and what their intentions could be. The point being, who knows who each one of us really is? No one can be sure. That’s why it’s vital for us to not let our guard down.

Edward Snowden stole files from the NSA for what some believe are good intentions while others believe are harmful to our national security and defense programs.  He was able to point out blatant flaws in the NSA’s internal IT security as well. It’s Edward Snowdennot only eye opening but it should wake every organization out there up to the perils of people.  How was a contractor, employed by Booz Allen Hamilton to work with the NSA, allowed unlimited access to sensitive NSA Information in the short months he was there in the first place? It’s a question that should have been answered before it even happened.

If Snowden has documented proof about NSA domestic surveillance, then we must assume he was doing inappropriate things with legally provided access by stealing files to use as proof. How did he get that access?  Who gave it to him? Was the access appropriate for his role? Could that data theft have been prevented if the NSA had its surveillance program tuned to look at the insider threat? Most likely, yes.

Another perfect example of this type of behavior is the case of Bradley Manning, the US Army Private First Class soldier who provided Wikileaks with stolen classified material. Manning had access to databases that the US Government uses to transmit classified information. He downloaded material such as war logs and videos of actual airstrikes and shared them with Wikileaks.  Why did an unhappy Army Private have access to this privileged information in the first place?  If the Army had the appropriate tools in place, they might have been able to prevent this from happening by seeing the behavior of Bradley Manning and questioning whether he had the appropriate access for his role.

IT Security isn’t just about protecting information from being stolen by outside entities any longer. It’s about protecting the environment overall from harm from both the outside, and more importantly, from the inside. The threat is real and potentially much more harmful from those who have the entitlements to gain access to private information and do harm with it, much like what Edward Snowden did at the NSA.  He had all the proper entitlements to get to the information but the question becomes, could someone have stopped that information from being obtained and used for negligent purposes?  Maybe, with the right controls in place, they might have.

According to the Verizon Data Breach report, over 76% of breaches were caused by inappropriate access in 2012. That’s an overwhelming statistic that highlights why more emphasis should be put on protecting access internally. Putting simple controls around access will help ensure that the right people have the right access to the right information and give a clear vision of what is going on with access that has been granted. If these measures were in place at the NSA, there is a good chance they would have been able to see exactly what Edward Snowden was doing before it became a PR nightmare as well as an “egg on our face” situation for the NSA.  

There are many tools out there that can be used to prevent such things from happening. Specifically IAM tools that not only help to give you better control over your access but give you a much clearer picture of the risk elements in your environment. Predictive analytics are going to become a part of everyday life in the very near future, especially in IT. Whether it is analyzing your infrastructure for outside threats, performance issues or data loss prevention or it is monitoring user access to assure people are behaving appropriately within the bounds of their entitlements.

There is a shift going on right now towards needing to see and understand data in real time. For example, being able to pinpoint inappropriate downloading of information at 3 AM from an employee account that doesn’t typically download files nor works at those hours is becoming more relevant than ever. Likewise, seeing elevated access can prompt you to inspect your access more closely.

The point is, the threat from the inside is very real.  This could happen anywhere to any organization. Does your company have the right tools in place to assure your stakeholders & Investors investments are protected? Is your customer’s private information safe? Are you doing everything you can to make sure your IP is protected from breaches? Are your employees doing what they should be with their entitled access? These are all questions we should be asking and continually thinking about.

Tags: access rights, Verner, access, entitlements, security, IT, predictive analytics, controls