Leveraging identity analytics to achieve identity governance
Leveraging identity analytics to achieve identity governance

The maturity of identity management is evident in the wide adoption of identity management solutions in today's enterprise environments. 

These complex identity management deployments, often intertwined and integrated with existing enterprise infrastructure and systems, contain a wealth of information — from lifecycle of identities, accounts, roles, and security policies to user activities such as application access, data access, and human workflow. 

Business intelligence (BI) solutions have long been viewed as crucial tools for enterprises to gain greater insight into their enterprise resource planning systems (ERPs), such as human resource management, supply chain management, and financial applications. 

Data from these transactional applications is pulled into a data warehouse. Aggregation, correlation and analysis on this data provide meaningful information to improve awareness and decision-making in the respective areas. In a similar fashion, an identity analytics solution can complement an enterprise identity management solution by providing not only greater insight — but also added value in the area of identity compliance and governance.

Consider a simple scenario of a newly hired broker at a brokerage firm accessing a new client's portfolio. To do so, she logs into an internal website and navigates through a few tabs to get to her client's portfolio.

What is actually involved here? The identity of the new hire begins in the human resources system. A role management solution then picks up the identity and assigns the appropriate roles based on attributes of the identity, such as business unit, job code and location. These role assignments, in turn, trigger a provisioning solution to create accounts into various target systems, such as the corporate LDAP directory and other applications requiring account creation. The provisioning solution also provisions the appropriate level of privileges for the identity in these targets. In some cases, approvals are required to grant access to sensitive information and business functions.

This onboard sequence alone illustrates the coordination required across many identity management components. When the broker finally logs into the system, other identity management components come into play. The single sign-on solution authenticates her against the corporate LDAP directory. Application security policies kick in to determine what the broker is allowed to see and do within the application based on the privileges assigned and other run-time factors. Data security policies may be in place to control and restrict the scope of corporate and client data exposed to this broker.

With all these components in place, how do we present a holistic view of the identity management environment for different audiences?

An IT administrator responsible for the provisioning system may be interested in the average time it takes before a new hire has access to his email account. An LDAP administrator would like to correlate login events audited in the single sign-on solution with the associated LDAP operations to better monitor the systems. An application owner may be interested in observing any trends or patterns in the appearance of orphaned accounts to pinpoint the root cause. A business owner wants to ensure access certifications are handled in an efficient manner by analyzing the average time it takes for a certification campaign to complete across the business unit. A security officer wants proof that the percentage of users and applications covered by the quarterly certification campaign has met the required target.

Like other BI applications today, a key component of an identity analytics solution is the notion of a data warehouse — an identity warehouse in this case. As most identity management components are transactional by nature, they are not optimized for analytical and reporting purposes. Furthermore, the information, as illustrated above, is scattered across different systems and different data models. An identity warehouse provides a platform to consolidate and correlate your identity data — such as users, roles, entitlements, their relationships, policies, authentication and authorization events — into a single unified repository. An OLAP data warehouse is also better suited in capturing and aggregating historical data such as policy changes and role membership changes to generate complex query results, reports and charts in an efficient manner.

With the warehouse in place, BI delivers the much-needed capabilities to analyze the identity warehouse data. BI provides an abstraction layer when dealing with the warehouse data and exposes identity data in a business friendly manner. This allows business users themselves to build ad-hoc queries and reports without mingling with inconsistent data models and low-level identity data that typically exists in the transactional stores of the actual identity management components themselves. 

Intuitive, interactive and visual presentation of the data allows the audience to easily modify, drill down and interact with the results. With the rich identity warehouse data, correlation and aggregation of data across multiple identity components is readily available. Scheduled analytics provides activity monitoring across the identity management deployment — combined with alerts and notification through dashboards, emails and mobile devices. Such alerts can also be integrated back with identity management components for any actionable or remediation tasks in a closed-loop fashion.

Identity governance is at the forefront of many customers' agenda today. The key to achieve better compliance lies in the following:

  • Transparency: The ability to have a holistic view of your identity data, including users, roles, entitlements, their relationships, policies, access events such as logins and authorization events, etc. in a comprehensive, correlated and user-friendly manner.
  • Analytics: The ability to analyze your identity management deployment through key performance indicators (KPIs), trend analysis, reports and charting on current and historical data in a scalable and optimal way.
  • Automation: The ability to automate processes, business logic, policy evaluations accompanied by alert notifications, workflow initiations, close-loop remediation, etc.
  • Risk Mitigation: The ability to proactively mitigate risk every step of the way — during account provisioning, user login, application access, privilege assignments, policy changes, etc. — leveraging a combination of current, historical and contextual data from the identity management deployment.

Identity analytics paves the way in achieving all of this — and promises to deliver much more.