Identity and Access Intelligence: Making IAM Relevant to the Business

Identity and access intelligence elevates identity and access management to a relevant discipline by leveraging business intelligence practices to enhance the usefulness of IAM data.

Identity and access management (IAM) systems or components produce data about identity and access repository information, events and actions. That intelligence is key to IAM excellence, and to enriching business intelligence (BI) for some decisions and insight.

• Identity and access intelligence (IAI) is an overlapping and complementary approach with enterprise security intelligence (ESI). It provides business-level transparency to (and an understanding of) identity and access information and events.
• IAI depends on some non-IAM and adjacent technologies to add value to the intelligence – for example, data loss prevention (DLP).
• To date, IAI has been focused on enhancing IT's ability to deliver identity administration and access, rather than on delivering direct business value.
• Regulatory compliance is the earliest form of IAI that directly addresses business decision making.
• IAI is a key element to strengthen customer and partner relationships, and it is a cornerstone to cloud security governance.

IAM managers should:

• Identify BI owners in the enterprise, and establish communications with BI owners and users.
• Model existing BI architecture and organization to determine gaps in intelligence gathering, analysis and reporting.
• Establish an intelligence "skill set" in the IAM team with requisite training. Create a matrix relationship between IAI and BI organizations for cross-training.
• Identify the repositories and logs in use by IT that support IAI, including those that are not part of IAM systems.
• Modify process and data collection to establish a formal IAI process and organization.

Through 2013, notable IAM project failures will cause 50% of companies to shift IAM efforts to intelligence, not administration.

To this point, IAM has had primarily one customer – IT. The capabilities of IAM have provided IT with a means to manage identity and access on behalf of the internal customer. However, this grossly undervalues the data that IAM produces in the process of delivering its capabilities. The data produced by IAM functions has significant value not only for IT, but also for the business as a whole. What is IAI, and how can it provide better value to the business as well as IT? This research describes what IAI is and why harnessing the value of IAI is the next step in the evolution and maturation of IAM.

IAM provides a practical, structured and coherent approach to the management of users' identities, and their access to systems and data. In essence, it ensures the right people get access to the right resources at the right times for the right reasons. In doing so, it provides a means to access these resources and an administration system to create, maintain and retire digital identities as needed. IAM supports a set of IT processes for identity administration and access. These processes require repositories of information to be effective – for example, directories for authentication and repositories (both directory and database) for authorization.

During the execution of these processes, IAM products also generate a number of logs to reflect the events and activities that occur as identities are created and used for access. With these repositories and logs, IAM possesses the raw material to deliver high-value intelligence to IT and to the business. What is missing to ensure that delivery? In most enterprises, there is no formal process for delivering IAI for use by IT and the business to foster better decision making. Furthermore, there is no organization in place that facilitates the transfer of IAI to those that can most use it. Gartner defines IAI as the process of gathering data about identity and access, and converting it to information and knowledge for action-oriented insight and intelligent decision making in IT and business. IAI can also be considered as the output of this process, much like BI is considered both a process and an output to that process.

The concepts of IAI are not new, nor are they particularly different from other forms of intelligence. IAI serves as input to other intelligence disciplines, such as security information and event management (SIEM) and BI – and vice versa. It is also a companion to ESI. ESI is a concept that recognizes security intelligence as an explicit deliverable, and designates it as a strategic security objective for the enterprise's IT security and risk management. ESI aims at increased accuracy and breadth of security detection and protection, as well as optimal security and risk management. IAI is based on the same principles as ESI – the interaction and correlation of technologies, and the integration and correlation of information. Because identity plays such a critical role in information security and in the business, the inherent complexity of IAM requires that enterprises view IAI as a key deliverable in its own right, as well as part of broader information security and business approaches to intelligence.

IAI recognizes that there are thousands of data points throughout repositories and logs in IAM. That data can be collected, cleansed, collated and correlated into information. That information, in turn, can be analyzed by classifying, sorting, and transforming it via analytics tools and processes into knowledge about identity and access. If that knowledge can be applied as part of key decision-making processes, it is recognized as intelligence, or action-oriented knowledge. IAI is the process of extracting data from the identity infrastructure, transforming the data into information, transforming the information into knowledge, and enabling that knowledge to be used in IT and business decisions.

Iterations to IAI

Source: Gartner (January 2011)

BI has been used in enterprises primarily for performance reporting, planning and forecasting, although that represents a response to only one business requirement for BI. There are three basic BI approaches:

1. A reactive approach for efficiency, rooted in IT and deciphering what happened
2. A decision-making approach for effectiveness, rooted in information management and impacting the here and now
3. An opportunistic approach for business agility, rooted in intellectual property and creating a new business future

IAM has three major drivers for its implementation:

1. A reactive approach for efficiency, rooted in IT and delivering operational savings
2. A decision-making approach for effectiveness, rooted in compliance, risk management and delivering accountability
3. An enabling approach for business agility, rooted in knowledge, that is transformative when successful

IAI is the means of delivering progressive, future IAM. It links the needs and capabilities of BI with the abilities of IAM by extracting the value of IAM information and events, and making that knowledge part of the decision process in business. It also makes that knowledge part of the decision process in IT, where IAM systems must be tuned and improved to deliver the value expected in operations. BI can have a major role in supporting effective performance management of IAM systems and providing predictive analysis of future growth using IAI.

IAI is the result of a formal, structured process that, first, mines repositories (that is, directories, tables and databases) of identifiers, credentials, attributes, policies, rule sets, roles and entitlements, and then logs containing event and status information. It also extracts information from identity and access workflows. This mining and extraction should be based on a strategic model for information management, developed by IAM in conjunction with enterprise architects and representatives from the business involved in BI.

Other participants in mining may be data integrators involved in extracting data from multiple data sources (including IAM), transforming and enriching that data through correlation and analytics, and loading that data into multiple data repositories. For IT, that enriched data is loaded back into IAM data sources for compliance, audit and forensics purposes, provided data flow and synchronization concerns can be addressed. For the business, when combined with other IT and business data, the enriched data can provide an "identity index" or "who view" in its conversion to knowledge.

IAI may have many potential users. Profiles of IAI consumers include the following:

• An information consumer who is focused on general IAI reporting and ad hoc inquiries. IT analysts involved in forensics for fraud management can make use of IAI data to conclude who is involved in such fraud and who is affected.
• An analyst or power user can use IAI knowledge to fine-tune policies based on access and entitlement use, or report on customer access frequency and detail to profit-making applications.
• The manager or executive may include on-boarding/off-boarding data in his dashboard for HR reporting, or use IAI data in scorecards as metrics showing application use and IAM performance management.
• The specialist in research may use IAI repositories in data mining assignments to identify customer/employee/partner relationships to the data they use in business practice, or provide input into the next generation of IT upgrades for provisioning or access management based on current usage information gleaned from IAI data sources.
• The application owner may employ analytics to derive statistics of customer usage (for example, heavy users, peak usage and general usage trends).
• The use profiles of application users can help assess future features or development approaches. This provides valuable intelligence for program and portfolio management, which is a strategic IT function.
• Security operations could integrate IAI repositories with existing monitoring functions. The effectiveness of monitoring functions such as SIEM and DLP can be vastly improved if IAI can provide a normalized source of identity index data that can be used to provide monitoring with identity context. These IAI users may also be ESI users, as well as BI users. IAI should be thought of as a horizontal capability that cuts across IT functions in security, system management, storage and other core capabilities. This opens up a completely new set of potential users for IAM because of the knowledge that can be derived from the IAM process.

Creating an IAI process involves a culture change for most customers. It may involve considering the knowledge output of IAM information and events as equally important as the control capabilities of IAM itself. It requires a focus on structuring and delivering information in a way most enterprises are unaccustomed to. This is why it is helpful to use the modeling of any existing BI architecture and organization as a starting point. Identifying key existing BI requirements can help IAM planners design IAI processes that can address business concerns affected by identity, but also provide a basis by which IT concerns about IAM administration and operations can be analyzed and improved.

To deliver an IAI process that is effective will require the right people with the right skill sets, committed to a plan that is complementary to other intelligence initiatives in the enterprise. These skill sets are already used by BI professionals, and can be adapted for use in developing IAI skills. This does not require an expensive expansion of staffing, but a change in how IAM data repositories and logs are maintained and how activities such as data mining, reporting and analysis are performed within and outside of IT operations.

Once goals and communications are established, and skills are identified and developed, taking stock of what an existing IAM system produces in terms of data sources, IAM staff, application stakeholders, business analysts and users can prioritize those sources that will yield the most pragmatic results for the goals established by business stakeholders and IT management. The journey to delivering effective IAI begins at this stage.

One of the first opportunities to leverage IAI is as an enhancement to existing monitoring capabilities. Many organizations have invested in SIEM technology but have not been able to fully implement exception monitoring because of an inability to incorporate identity context. Integration of IAI with SIEM would provide a "quick win" with clearly demonstrable benefits.