How to identify and measure IT access risks

Comments Off on How to identify and measure IT access risks

IT Risk Identification with Access Intelligence – Why you can’t do without it

Before access risks can be avoided, reduced or managed, they must first be identified. While this may seem trivial, it is a complex task in terms of permission management. Detecting and assessing risks among the enormous amounts of data that continuously accrue in the access management environment is a lot like finding the proverbial needle in the haystack. With a growing number of users, roles and IT systems – all of which must be granted permissions – the sheer number of risk opportunities rises exponentially.

A company with 5,000 employees and only 50 IT systems with ten permission groups each, for example, has over 2.5 million permission-granting possibilities, each of which may represent a high or low risk for the company. In light of this, the task of identifying all the existing risks from these permissions, assessing their effects and defining appropriate measures seems hopeless.

Identifying Access Risk

Identifying Access Risk

In fact, even a reasonable amount of effort is usually not enough to detect and assess all the possible risks associated with access management. Therefore, a better strategy is to identify the most risky permissions first, assess them and then combat them with adequate measures.

So how to identify and measure IT access risks?

To determine which permissions pose which risks, you need high-performance tools that allow companies to use standard analyses to obtain, for example, information on the effects of certain risk assessments on individual permissions and users in a short period of time.

User Risk Analysis is neccessary

Here the User Risk Analysis comes into the game: it provides data on risks by user based on their assigned groups and must shows the number of users in a department grouped by risk type along with the associated direct and indirect roles or the number of direct user groups and subgroups as well as the number of accounts and IT applications used by each user. High-risk departments are directly and immediately identified. The User Risk Analysis allows companies to identify high-risk users and roles within an organizational unit quickly and determine the source of these risks.

The major challenge of risk analysis is that, even though the company’s systems are provided by the IT team, they are largely operated and used by other departments. Naturally, an access permission risk analysis must also take into account larges volume of data – currently a major topic in the industry. In my view, however, the biggest task is in assessing and depicting whether and why an employee holds access permissions and what type of risk arises from these permissions. This assessment should not be performed by the IT team alone.

Measurement of risks

Identity Risk Management metrics must fulfill a number of important tasks. First, they must make the distribution of access permissions clear and provide information on the quality of the identities, the roles they play within the organization and how they are managed. Secondly, they must provide information on the decision-making process for access permission granting based on an origin analysis. Problem areas should be easily detectable through dashboards.

Now, if our goal is to make risk management into a measurable, objective parameter, we are faced with the challenge of deriving a single piece of information (such as “how high is the risk for a particular user, role or group?”) from a large number influencing factors.

These include:

  • Risk assessments: at the role, group, resource and permission level
  • Risk observation: at the user, organization or job function level

Risk Class

Our Garancy solution uses a class-based approach, under which roles, groups, resources and permissions are evaluated by risk type (low, medium, high risk) and risk rating. The risk rating is a numerical classification of individual permission objects, in which risk is generally assessed on the basis of threat potential, the probability of the damage event and the expected impact. All other risk parameters are automatically calculated.

Based on the risk type and risk rating, the analyses form risk classes with three levels per risk type. Class configuration can be customized of course.

Risk ratings are always aggregated or totaled within a risk type. Thresholds are defined to determine which totals are classified as high, medium or low. The system clearly shows the totals within each type or class. In contrast to a purely numerical value, this approach makes the risk carried by each employee easy to identify.

Risk scoring involves “adding up” all the attributed risks. This can be based on various mathematical approaches (sums, algorithms, etc.).

The advantage of this approach for assessing risk is that it aggregates individual risks for each permission by individual user. Here, the Garancy Access Intelligence Manager provides support by aggregating individual risks by entitlement type (role, group, resource, permission). Rather than simply adding up the risks, Garancy uses a class-based method in which aggregation takes place solely within a class.

For more information on Access Risk Management visit

Tags: |