With the growing spread and availability of IAM systems, auditors are getting more and more demanding concerning their expectations for powerful analytic capabilities regarding the IAM data historization. Over the last decade, most IAM systems were implemented because of the dreaded question ‘Who is allowed to do what in your organization?’
The past as IAM data historization challenge today
But the challenge for today is ‘Tell me about the past’. By adding the time dimension to the access data, the complexity seems to explode: Where the investigation of the actual access rights is already covering a large number of questions about objects like users, groups and roles and their relations to each other (‘Which users are member of a certain group?’), the addition of criteria like ‘at a certain point in time’ or ‘in a given time period’ is raising the level of difficulty significantly for IAM data historization.
Compliant access data preservation
To answer a supposed easy question like ‘Who had access to a certain resource in a period of time?’ with IAM data historization, it is not enough to save periodically access right snapshots.. This method has fundamental vulnerabilities, because there is always the risk of intermediate back and forth changes between two data points. Since auditors are usually not satisfied with a statement, starting with ‘Probably…’, a compliant access data preservation must cover a continuous recording of all access management events – the IAM data historization.
But in addition to this, audit questions are not limited to direct relationships between the objects. A user’s entitlement to a resource can be either assigned directly or in the worst case, the user got the access right as a consequence of a role membership, where one of the sub-role’s contained a group (or even sub-group), that carries the entitlement. To provide reliable audit statements, all connections between the objects must be considered over time. This only possible with a powerful IAM data historization. And if that wasn’t enough, such analysis must include changed assignments as well as potential changes to the object’s (groups, roles) definitions considering their exact chronology.
Access Intelligence needed to answer all auditor questions
Let’s assume you find a system, that covers all the above stated needs, the user’s operation of such an analytic engine will be a challenge on its own. The created data pool for IAM data historization will have so many perspectives, that a new type of user interface will be needed to utilize the given flexibility and to answer all auditor questions.
With the described IAM data historization system, a new level of access intelligence is available that is not just limited to some preconfigured, single-dimensioned querries from the user’s history perspective only, but that alllows you to analyze the access rights history from any possible angle with some mouse clicks.
For more information on audit requirements go to http://www.betasystems-iam.com/portfolio/roles/auditcontrolling.html