swipe to navigate

Entitlements and credentials relate to risk

Identity and access management systems create, update and delete three kinds of things:

  1. Identities - records of people and nonhuman personas.
  2. Entitlements - which grant identities access rights.
  3. Credentials - used by identities to sign into systems -- such as passwords, tokens or certificates.

In practice, it is the latter two that matter:

  1. How reliably are users authenticated, before they are granted access to sensitive data or functions?
  2. Is there a close link between what users can access on systems and applications and their real-world, business responsibilities?

In other words, identities are managed just so that there will be something on which to pin credentials and entitlements. The objective is to maximize the security expressed in authentication and authorization decisions, while minimizing time and cost spent managing the underlying identities, entitlements and credentials.

It's not enough to examine existing identities, to find users who have entitlements that are not appropriate to their business needs:

  1. New entitlements should be assigned so that they are consistent business needs.
  2. Entitlements should be revoked in response to business changes, such as terminations or transfers.
  3. When analytics find inappropriate entitlements, they should be deactivated as quickly as possible.

These are active processes, not just static analysis.

Types of controls

If the objective is to reduce the number of inappropriate access rights -- entitlements -- held by users, then the controls are the means of doing that. The main types of controls are as follows:

Control Description
Automatic access deactivation

  • Automatically deactivate all access when users leave an organization.
  • Trigger from SoR where possible -- for example, employees.
  • Trigger by request where there is no SoR, or where it is late or unreliable.
Segregation of duties (SoD)

  • Define a set of entitlements that should not be assigned at the same time to any one user.
  • Prevent users from acquiring new entitlements that would violate the policy.
  • Find users who already have rights that violate policy and remediate their access rights.
Approval for access

  • Pass all access requests through a workflow system.
  • Require approval by business stake-holders for any requests that represent material risk.
  • Invite managers, policy owners or data owners to approve access.
  • Effective for ensuring new rights are business-appropriate.
Access certification

  • Periodically ask stake-holders to review users and their entitlements.
  • Items are either certified (i.e., marked as acceptable) or marked for revocation.
  • Invite managers, policy owners and application/data owners to perform reviews.
  • Effective for finding inappropriate rights among existing entitlements.
Orphan, dormant accounts and profiles

  • Find orphan accounts -- not associated with an owner.
  • Find orphan user profiles -- which have no accounts.
  • Find dormant accounts -- with no recent login activity.
  • Find dormant user profiles -- which contain only dormant accounts.
  • Automatically disable and/or highlight for manual review.
Risk scores

  • Assign business risk scores to entitlements, number of subordinates, frequency of transfers or other signals.
  • Aggregate scores to identify high risk users.
  • Adjust approval, certification processes when high risk users are involved.
Password security

  • Ensure that users change their passwords regularly, choose hard-to-guess (but memorable) passwords and do not reuse their passwords.
Authentication prior to IT support

  • Reliably authenticate users prior to assisting them with login problems, such as forgotten passwords or clearing lockouts.
  • Combine multiple factors, such as sending a PIN to the user's phone and answering security questions.
Randomize and vault passwords

  • Periodically change passwords to service accounts, app-to-app accounts and administrator accounts.
  • Set passwords to random strings and store in a secure vault, where access can be controlled.
Control access to elevated privileges

  • Authenticate and authorize access to shared, privileged accounts or group memberships.
  • Grant access for short time windows only.
  • Pre-authorize frequent users and approve single-use requests otherwise.
Audit elevated access

  • Log requests and session initiation when elevated privileges are used.
  • Record login sessions (video, key-logging, etc.) where required.
Multi-factor authentication

  • Replace just-passwords or just-security-questions with multiple factors, including tokens or PINs sent to smart phones.
  • Leverage federation to extend strong authentication to applications, especially SaaS.


Comment via LinkedIn