Permission Path Analysis based on Access Intelligence

Many organisations have a heterogeneous system landscape which uses a number of different access right concepts. The goal of all these concepts is to provide users with those access rights on resources they need to fulfil their work. Based on the high number of users and resources to protect in large organisations, the administration of these access rights can be quite complex and time consuming. Here access intelligence comes into the play.

The current Identity and Access Management (IAM) landscape mainly consists of classic Identity Management (IdM) and business-oriented Access Governance. IdM focuses more on providing a single point of administration and provisioning users with the needed access rights. In contrast, Access Governance concentrates on integrating business departments in the assignment and controlling of access rights in the organisation. It therefore provides functions like access request and approval workflows and access certification processes. In addition, the demand to analyse access right structures to cover compliance requirements increases. We therefore use a business intelligence (BI) based approach to complement the current IAM landscape with comprehensive and powerful analysis capabilities.

We see the following additional benefits in providing an Access Intelligence system:

  • Using a BI system allows us to convert the access data into a format which allows flexible and fast analytics.
  • We can fulfil the demand of many organisations to separate their operative access control systems and the analytics system.

Using the well-known capabilities of a BI system, new analyses are provided. One example is the permission path analysis. It divides complex access structures into single paths and thereby lays the foundation for effective access right analyses.

Depending on the particular system, a number of different techniques use quite a number of diverse security objects like roles, user groups, authorisation profiles and resource groups.

“The rationale behind these security objects is always encapsulation!”

Instead of assigning single access rights some kind of grouping is used allowing easier administration. The drawback is a higher complexity of access right structures due to the higher number of object types and the multitude of connections.

For the analysis of the resulting access right structures, new questions arise which can be answered using our Access Intelligence system. Besides the basic question “Who has which access right on what resource?” the widely ramified structure leads to“How (i.e. via which security objects) did a user get his access rights?”. In our Access Intelligence system we have developed a method which divides the complete access right structure into single paths as a base for powerful analysis capabilities. The above question can thus be concretised as “Via which access right paths does a user get his access rights?” This approach allows a multitude of novel analyses which we cover under the term “permission path analysis”.

Access Intelligence

Governance in access management also called “Identity and Access Governance”(IAG) means that the business departments take on more responsibility for safeguarding resources and restricting activities. In consequence, the assignment of access rights must be controlled more tightly, and existing rights must be confirmed (recertified) at regular intervals. One of the main challenges of Access Governance is presented by the need to handle huge quantities of data and their extremely complex structures. A solution is achieved by aggregating and visualizing these data in a business understandable form.

Established procedures and methods in Business Intelligence (BI) have become the cornerstone for achieving this. The use of BI methods to prepare authorisation structures leads the way to Access Intelligence. The basic, mature principles that make business intelligence successful for business decisions can be applied in Identity and Access Management to achieve real transparency of activities involving access in the enterprise. As a result, well-proven methods are finding their way into new areas of application.

“Access Intelligence provides powerful and comprehensive analysis features.”

These include access rights reports and activities like:

  • Ready-to-use and pre-configured standard reports which will be distributed either via scheduler/email notification or on demand. Moreover, the on-demand reports can also be adapted manually by filtering, sorting and sizing.
  • Ad-hoc reports: self-service Business Intelligence that allows the easy, efficient creation of individual reports according to specific needs, based on a business understandable data model.

Permission Path Analysis

The major part of access right assignments normally occurs using additional security objects like roles and groups. Roles are mostly used as organisation-wide objects and often reflect business responsibilities. Groups are mostly used in specific access control systems like Windows Active Directory or IBM RACF. In addition, role and group concepts often use (separate) hierarchies. In terms of the permission path analysis, role and group models build separate collections of paths. The overall path of an authorisation (e.g. the assignment of a resource to a user via roles and groups) results in the addition of all single paths.

The concept of permission paths allows novel analyses like redundancy analysis or path length analysis.

Redundancy Analysis

The redundancy analysis examines redundant paths in access right structures. Redundant paths are multiple access right assignments which occur when security objects with overlapping assignments are connected. However, overlaps can occur when assigning roles to users. The assessment whether specific redundancies are intended or not is dependent on the access right models of an organisation. Our Access Intelligence system provides comprehensive reports to analyse path structures so that unwanted redundancies can be detected.

Path Length Analysis

The redundancy analysis examines the length of paths in access right structures. The path length is defined as the number of security objects between two end points of a connection, e.g. a user and a resource. Organisations often have comparable average path lengths due to the implemented access right models. E.g., a typical role model has two or three hierarchy levels. There may also be specific policies like “critical resources should always be directly connected”. Deviations of path lengths from the average can imply security risks and are therefore highlighted in the Access Intelligence system.

You can check if assignments of critical resources comply with the company policy “Critical resources have to be directly connected to users”. If the connection, however, does not comply with this policy, it is therefore highlighted. This finding should possibly lead to a correction of the access right structure for this resource.

Using the path length analysis in our Access Intelligence system allows easy checking of specific organisational policies and detecting flaws in the access right structures. Consequent use of these analyses and adaptation of the concerned assignments lead to a higher quality of the access model.


Example Use Cases

Role Modelling

Every security object (e.g. a role) which encapsulates a number of access rights should have a clear and understandable semantic. Thus the usage and control of the access control model is much simpler and less error-prone for administrators, auditors etc. One criterion for a clear semantic is the strict separation of functions between roles. This can be achieved by minimising redundancy between roles.

Direct Control of Critical Resources

Every organisation has access rights with high risks assigned to their users (e.g. which allow paying high sums of money). Controlling these critical authorisations is one of the most important aspects of access governance. Access Intelligence supports organisations for this task in two ways:

  • Access rights with high risks are highlighted to allow risk scoring thus resulting in a corresponding user risk analysis report.
  • Policies can be checked. As mentioned earlier, one policy could be that critical resources should always be directly assigned. This policy can easily be verified using the path length analysis.

Depth of Role Hierarchies

With increasing depth, the complexity of a role hierarchy goes up. Normally, organisations use a somehow fixed structure of roles. Often access rights are collected in so-called IT roles which in turn are assigned to business roles which comprise the rights for an organisational unit or function. Sometimes a second level for business roles exists to allow further structuring. Thus, average role path lengths of 2 or 3 occur. Via path length analysis in Access Intelligence, deviations can easily be detected, analysed and corrected if necessary.

For more information on Beta Systems Access Intelligence capabilities go to http://www.betasystems-iam.com/portfolio/solutions/access-intelligence.html

 

Tags: | |
Detlef Sturm
Senior System Architect Detlef Sturm is a Senior System Architect at Beta Systems Software AG with 20+ years’ experience in design and practice of system and software architectures. In addition to the technological aspects, he was significantly involved in drafting the strategic positioning of Access Governance in the IAM area. As Part of this strategy he took over the responsibility for design, architecture and development of the Access Intelligence product. He has built up extensive knowledge in BI technologies in particular based on the SQL server. In addition to the focus of the multidimensional design of data warehouse systems, it also deals with applications of analytics for IAM. These include the analysis of permission structures regarding relationships, history and risk. Even his physical fitness is given enough attention by regular jogging and biking. His best time in the marathon is currently 3:34 hours.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

← back