How to be compliant with Intelligent IAM

Posted by Steve Morin -Director, Product Management on Thu, May 19, 2016

A great deal of time and effort can be saved during management reviews and audits by using an Intelligent IAM solution to provide reports, including filtering and drill-down capabilities, trend information, and data visualization tools. These not only give managers a high-level view of progress toward goals (such as eliminating orphaned accounts and policy violations), but also they can show auditors that efforts have been made  to address  high-risk  issues, such  as monitoring access to the most sensitive data stores and controlling the entitlements  given  to privileged users. Here are a few other ways that using an Intelligent IAM solution can impact your goal of true compliance:

Continuous Improvement of Provisioning and Governance

Most users of Intelligent IAM solutions focus on the immediate benefits provided by continuous monitoring, rapid response to immediate threats, and tools to analyze risks, patterns, and trends.  But organizations shouldn't overlook the importance of strengthening their investment in existing IAM systems.increase_efficiencies_small.png

Intelligent IAM can support the continuous improvement of account provisioning, governance, and other IAM processes. By providing visibility to key areas of access risk, organizations can immediately respond and take action by either doing a microcertification to fully inspect suspect access or take a deprovisioning action against a known violation. While having a fixed schedule for access reviews is important to ensure compliance, enabling continuous reviews as and when risks become visible ensures best practice governance that continuously improves and enables a more efficient provisioning and compliance process.

Reducing over-provisioning and under-provisioning

Over-provisioning and under-provisioning are occupational hazards for everyone who defines and manages roles. Over­ provisioning creates security vulnerabilities by granting unnecessary entitlements to a role. Often this comes about when a single individual with unique needs requests new access levels or entitlements that are then assigned to the role rather than to the individual, and the entitlements are mistakenly given to everyone in that role. This potenreduce_cost_small.pngtially leads to everyone in the role being over-provisioned creating an access risk and circumvents a Least Privilege Model, which should be a best practice.

Under-provisioning occurs when an entitlement that’s genuinely needed for a role isn't assigned, forcing all or most people in the role to request that entitlement on an exception basis. This is a drag on the productivity of the employees and of the managers and resource owners who must repetitively review and approve their ad-hoc requests.

Intelligent IAM helps people who define and manage roles reduce over-provisioning and under-provisioning. With a few clicks, they can determine the following:

  • Which entitlements are rarely or never used by current members of a role, so those entitlements can be removed from the role
  • Which entitlements are frequently or always requested by members in a role , so those entitlement s can be added to  the role
  • Which individuals have excessive entitlements compared with others in the role, so the behavior of those individuals can be examined and the individuals can be assigned to more appropriate roles

Activity related information, such as last login and last transactions executed, also provides insight into whether rights are really needed. For example, if a resource hasn't been accessed for three months, there's a strong chance it's not required for that individual or others in the same role.

Closing the Governance Gap with Continuous Monitoring

Organizations have blind spots when it comes to violations of security and privacy rules. Account provisioning systems provide users with appropriate access to corporate resources when they join a company or change roles. However, changes and exceptions to rules and roles over time introduce excessive rights for individuals, leading to policy violations and access-related vulnerabilities. In many organizations, access permissions are gracompliance_governance_small.pngnted outside of approved provisioning processes. An example would be when application or database administrators grant access rights based on direct requests from a user.

Organizations should run periodic certifications asking managers to verify that existing access rights for their subordinates are necessary and appropriate. Unfortunately, busy managers often treat these as "rubber stamp" exercises. They don’t take the time to review each entitlement and consider its implications. In many cases, they lack the knowledge and tools to identify policy violations. In other cases, the sheer volume that needs to be reviewed is so overwhelming, reviewers are not thoroughly reviewing access during the certification review.

An Intelligent IAM solution can address these problems by providing not only the prevention on the front end but also continuous monitoring of identity and access-related data and events throughout the life of the user. Violations can be identified as soon as they occur (see Figure 3-2). Changes made outside approved provisioning processes can be flagged and reviewed. Data can be correlated to pinpoint Segregation of Duties (SoD) violations and other complex policy violations before they can be exploited.

Preventing Policreduce_threat_surface_small.pngy Violations at the Point of Origin

Even with an advanced account provisioning system, managers and resource owners find it very difficult to identify SoD and other policy violations.

An Intelligent IAM solution can be integrated with a provisioning system to flag potential policy violations at the time an access request is being reviewed. It can also give the reviewing manager or resource owner tools to drill down and look at the recipient's current entitlements and those of his or her peers, to determine if the request is necessary and appropriate. It's far less work to prevent a policy violation at the point of origin than to find it during a large-scale certification (or through a security breach).

In the near future, intelligent IAM solutions may be able to improve provisioning decisions by supplying recommendations based on real-time risk scoring. This would allow decisions to be made based on the risk profile of the enterprise, users, applications, and resource at the time of provisioning.

One example of such "intelligent provisioning" would be to set up three workflows so that


  • Low-risk access requests (as determined by the organization in the IAM solution) are granted automatically without requiring the attention of a manager.
  • Medium-risk requests are sent by the provisioning system to a manager for approval.
  • High-risk requests require approval by a manager and escalation to a higher level executive for final approval.


With changing policies, regulations, access, and more, it is hard to keep up with the trillions of relationships that happen within an organization on any given day.  With an Intelligent IAM solution, adapting to these advancements is considerably more effective and straightforward. By allowing managers to have increased visibility of the tasks, goals, and issues at hand, an Intelligent IAM Solution allows for both better efficiency and productivity within the company. By enabling continuous reviews, an intelligent solution guarantees that high-risk situations can be monitored and corrected using immediate precautions. This solution helps reassure that all audits are successfully organized by providing reports, including filtering and drill-down capabilities, trend information, and data visualization tools. Not only will an Intelligent IAM solution help you pass your audit but it will put your organization on the path to true compliance.

Want to learn more about how intelligence can impact your organizations approach to compliance? Download our new eBook Improving IAM with Intelligence for more information or schedule a demo to see Access Insight 9 at work. 

Topics: access compliance, access rights, Access Insight, access risk, compliance