I have worked in the identity and access governance field for a while now. And while every customer is different and has different drivers in an absolute sense, just able all of the IAG projects I have had the privilege to work on can be broadly classified into one of three phases. This is not a terribly complex taxonomy, but useful for a quick analysis.
The first phase is the “stop-the-bleeding” phase. In this phase, the goal is automating common IT tasks in a consistent, repeatable, manageable way. Account and entitlement creation and removal are automated. Some governance processes are established, usually close to the entitlements. This phase is a necessary step for business governance, but not does not really get their yet. The benefit here really accrues to IT, not the business directly. In my experience, this is where about 70% of IAG projects effectively end.
The second phase is the “mapping IT to the business phase”. This is where we try to give the business some insight into the IT systems that support them, so that they can start to make business decisions about access and delegation. Historically we have spent a lot of time on role management here. I would estimate that this is where 20% of the IAG projects I have been involved with end up.
The final phase is the risk analysis and mitigation phase. Projects that reach this phase are easily able to quickly illustrate how a change in access will result in a change in business risk. This phase provides the most business value, and the value produced mostly accrues to the business. It is the nirvana of the IAG world. It is also really, really hard to get to. Which is why I would say that only 10% of IAG projects ever get here.
There are many reasons why it is hard to get to the risk analysis and mitigation phase. The interactions of various permissions in target systems are subtle, and require a deep skill set and understanding of how precisely particular permissions will interact. The people who have the knowledge about how the system works are generally pretty close to the metal. They are focused on the tactical challenges of running the system, and generally removed from the strategic risk reduction concerns.
What would be really great is if we could take the ultimate business benefit (risk identification and reduction) and front load it to the start of our IAG projects. And that is exactly what we have built Starling Identity Analytics & Risk Intelligence to do.
Starling Identity Analytics & Risk Intelligence is a cloud-based offering designed to be simple to install (three click or so) and to quickly provide actionable intelligence about the risks associated with the entitlements in a target system. These risks are often subtle and nuanced. For example, here is a quick pop quiz: which of these two users has the riskier entitlement profile? User A has permissions to delete objects within Active Directory container “foo”. User B has the “delete” permission on all of the objects in the container “foo”. Wait…isn’t that the same thing? Or is it? What about child containers? What if the objects move? Its these subtleties that make managing the entitlements challenging.
Because Starling Identity Analytics & Risk Intelligence lives in the cloud, we are able to leverage the deep expertise of real experts in the permissions models of various systems to spot traps like the one above that expose your environment to hidden risk. We can build in rules about a vendor’s best practices and highlight subtle configuration decisions. We can highlight and reduce risk starting on day one.
Starling Identity Analytics & Risk Intelligence also allows customers to detect changes in the systems that they manage. Suppose a user gets a new, high-risk entitlement. Was that accidental? Intentional? Malicious? Starling Identity Analytics & Risk Intelligence can immediately flag the entitlement for administrator review.
Finally, since Starling Identity Analytics & Risk Intelligence lives in the cloud, we can add new platforms and new risk rules continuously. The solution continues to be extended and refined, and customers will reap that benefit, on a weekly, not annual basis.
Please join my webinar with Randy Franklin Smith on Tuesday, September 19th to learn more.