The fundamentals of an IAM Auditing
Auditing can conjure up those memories of having your homework marked by that very strict teacher that no one liked and dreading it being handing back out in front of your classmates. Therefore, auditing has a bit of a bad reputation, but in reality, it is an essential part of the 5 pillars of IAM by re-enforcing and checking that the functionality carried out in other areas works.
It should not be seen to be a pass or fail, though sometimes in the case of compliance of a regulation it can be. Even in this case, an organisation has chance to improve. Admittedly the second chance does come with a bit more pressure not only in time but also potential business consequences.
Auditing though should be viewed as force for good. The ability to trace past events can be used to protect the innocent from unwanted blame. Even in such situations where something untoward did happen, the audit capability can be used to learn and rectify the gaps.
The Components of Auditing
Reporting on who has access is a key area, especially around compliance. It is essential to be able to report on who has access to what. Auditors will always ask for proof on access, access requests and simply on who has done what. There is still no real substitute for a good old-fashioned report. Thank fully nearly every system provides that.
Surveys are a key aspect of self-service auditing. Getting users, team leaders and system owners to periodically review their own access and offer the chance to remove those permissions that are no longer required.
Privilege Session Monitoring is the special monitoring (often video or keypress capture) of a session performed by someone with elevated rights (e.g an administrator) or on a protected resource (e.g production server).
Auditing should never be viewed as static in nature, it is essential that constant real-time analysis of identity risks is maintained. This helps to detect early potential areas of weakness.
Behavourial Analytics is often considered a separate area to IAM, and traditionally it was. However, it does play an important part in generating an idea of typical behaviour for a user and can help in authenticating a user or accepting an access request.
- Reporting
- Surveys
- Privilege Session Monitoring
- Dynamic Monitoring
- Behavourial Analytics
Reporting
Reporting on who has access is a key area, especially around compliance. It is essential to be able to report on who has access to what. Scheduled reporting is never enough as it is out-of-date as soon as its run. This is not a case of an item with a super short shelf-life. It’s a case that user’s access can change between the scheduling of the reports so that it appears to be no different. In other word a malicious user could gain access to a sensitive system one second after the report is run. With incredible timing they can relinquish the access one second before the next report. As far as the reports are concerned, the user never had access. Therefore, it is essential that reports can provide details on who has had access and what they accessed of any point in time.
Consolidated reporting is better rather than individual reports from end systems. The simple reason is that credentials, and in particularly usernames, can be different between systems. It can then be difficult to tie these together to show what access a particular user has. An IAM solution will provide the correlation between the credentials and the end user.
Surveys
Many IAM solutions allow for users to request access for any reason, and if the approver agrees, will get said access. Good intentions of removing the access when finished seldomly can be relied upon. Whether the responsibility lies with the end user, application owner or team leaders, it’s just a case its often forgotten about.
Having regular self-service checks between end users, managers and resource owners will help check to see if the access is still required. Typically, this is done annually, but more frequent reviews are not unheard of.
The process allows for those no-longer needed permissions to be reviewed and removed if not required. It is more than good housekeeping; it helps reduce risk especially when considering compromised credentials.
Privilege Session Monitoring
It does seem that administrators or anyone with elevated privileges are picked upon for closer scrutiny. It is not personal, but these are people that have the most power and are therefore open to attack by Cyber Criminals.
Its not just for security that PSM is used, it is also a great diagnostic tool. It’s possible to go back and to review a session and see what changes were made. With auditing being a force for good these captures can be used as a training aid.
Modern PAM products will provide video capture as well as key logging capabilities. This is very useful but can prove to be expensive on disk storage (whether cloud or physical). Often rather than video recording (keylogging should always be a minimum) every session selected operations on selected resources are more tightly monitored. However, if feasible, it is always recommended to capture all sessions.
Dynamic Monitoring
To the initiated auditing does mean checking one’s work periodically. Using the homework analogy from earlier, its often thought of more as an end of year exam. The use of external auditors reinforces this idea.
This idea is not sufficient as IT and especially security is a dynamic entity changing minute by minute. A good IAM solution will have a way of continuously monitoring risks whether around too much access, rarely used accounts, too many privileges or the automatic detection of zombie accounts or outlier accounts. (Zombie or orphan accounts are credentials that are not linked to a user. Outlier accounts are accounts that are tied to a user but are no longer needed as part of their role).
Behavioural Analytics
It can be argued that Behavioural Analytics is not part of an IAM solution. Typically, SIEM (Security Information and Event Monitoring) would perform this type of analytics as part of log and event collection from connected systems.
This is true, but most SIEM tools have no idea about the end user as they are only focused on a set of credentials. This is ok if the username named used is consistent in every system, but especially when they are legacy systems being used this is often not the case.
Many modern Access Management systems will use previous behaviour to assess the risk of a user attempting to access a resource. For example some will recognise that the same user is attempting to access from the same coffee shop at the same time every week using the same browser. In this case step-up authentication (i.e. MFA) may not be needed. Equally if something is unusual (could be as simple as time of day) then additional authentication may be required.
The use of machine learning is slowly playing a greater role in IAM to improve user experience. Opinions are divided whether this is a marketing gimmick or something that genuinely improves the solution.
Summary
Auditing should not be viewed as a necessary evil to satisfy compliance or invoke memories of nervous discomfort waiting for the teacher’s mark. People with higher privileges may feel unduly scrutinised by having their sessions captured, these sessions can help in training and diagnostics work.
Whilst regulation and associated reporting is necessary, more dynamic monitoring can help show areas of risk especially around too much access and help identify threats in real time.
The use of regular user self-assessment of access rights can help reduce those risks by removing no longer needed permissions.
Overall auditing is there to to help and provide continuous support and as part of a successful IAM program can improve user experience whilst fighting cyber criminals.