Hitachi ID Identity Manager can be used to model access risk. A number of variables are assigned risk scores and added up to compute a risk score for each user profile:
- Entitlements that a user might have.
- Consistency of a user's entitlements with peers (i.e., assign higher risk to entitlements that a user's peers do not share).
- Each type of policy violation (SoD, etc.).
- Time elapsed since the user's profile was last reviewed (certification).
- Certain attribute values, such as department or location.
- Number of subordinates.
A user's risk score is represented as a profile attribute. This attribute is recomputed (a) during the auto-discovery process, for all users and (b) whenever a request impacting a given user is completed.
Ranges of risk scores are grouped into bands, also stored in a profile attribute. These risk bands are used to compute user membership in user class, which can drive other Identity and access management (IAM) processes.
Since risk scores and risk bands are represented as profile attributes,
they can feed into other processes. For example, one can run a report
to enumerate all users with a risk score above some threshold, or
certify all users in a given risk band, or require additional
approval for requests for users in a high risk band.