Is IDM alone enough to protect your enterprise applications against emerging cybersecurity threats?
Why do you need fine-grained identity governance?
Fine-grained Identity Governance and Administration is central to our business mission. The SafePaaS platform sits in the cloud and by being a platform, has the ability to be configured for many different data sources that may sit on the cloud or on-premise through various connections that our clients establish.
SafePaaS has several different ways of being able to connect to all 90% of the world's information systems and business-critical application systems out of the box. If your organisation uses Oracle, SAP, or Microsoft for example, we already have a connection, if it's something “home- grown”, we can connect that too with an understanding of the APIs.
SafePaaS is a global, flexible system with built-in risk management for access governance. The tool we provide our clients to do this is called DataProbe™, which enables organisations to quickly connect to SafePaaS and securely transfer the information we need to perform the user fine-grained identity governance.
Identity governance is part of our overall information governance platform. Identity Governance has more components than just access governance. At SafePaaS, we think of enterprise today as buying a holistic information governance solution as opposed to buying several fragmented cases. To be a modern, agile business, it all needs to flow together. It makes no sense to piecemeal things together and hope they work. This has been seen in the ERP market with the successful transition from siloed accounting finance applications to an enterprise platform. Our vision to the market is that information governance includes iAccess governance as a key component.
SafePaaS provides application governance as well as process governance. SafePaaS provides an actual integrated platform where your risk control and audit information can be found, that is visible to senior management through advanced, predictive, analytics capabilities. Predictive analytics (link to https://www.safepaas.com/articles/safeinsight-discover-hidden-risks-seize-new-opportunities-with-advanced-analytics/ can help you prevent risks from happening in the future.
How can SafePaaS provide fine-grained access governance?
SafePaaS has a SAML-enabled API, which enables us to do integration with IDM (If you have IDM) Roles manager, that is basically the entitlement management component of the IDM requirements, user provisioning, role-based, workflow-based, Firefighter for privileged users and monitoring and certification.
What makes SafePaaS unique is the ability to fine-grain, which means that we contextualize down to the element of data and the element of security at the very lowest level. This puts us in a unique position to protect your data and your privileges that the traditional first or second generation solutions that came to the market haven’t paid much attention to. Organisations need a level of assurance down at the transaction level and not just at the role level.
If you already have an IDM system in place, SafePaaS provides API services, so that SafePaaS access controls can work in conjunction with your ticketing system, (if that's what your organisation is using for manual IDM) or if you’re using a sophisticated IDM system we can leverage that and basically “talk” to it through these various IDM services that iAccess offers.
How are our customers using SafePaaS identity governance to get a fine-grained level of security?
One of our customers in the US is a government agency with a low-risk threshold compared to other businesses. The organisation has been mandated to ensure the safety and security, as well as the reliability of a nuclear arsenal to protect the nation. Whilst looking to improve their identity governance, they chose SafePaaS to replace a number of their legacy ID governance systems and fragmented approach to ID governance. The systems they had in place to maintain access across their ERP systems were making them spend a tremendous amount of time to accomplish this. They also had the problem that their auditors needed to rely on this data to perform certification through access controls and monitoring. By using AccessPaaS™, they could not only improve their controls, but also reduce the cost on the taxpayer. One of their objectives and missions is to improve efficiencies and save the taxpayer where they can. We could help them and give them a $50,000 saving in their first year. The remediation cost has been reduced as well as the manual steps that they were implementing to be able to manage this very cumbersome access governance process for a high-risk organization and they were able to mitigate that risk.
They use SafePaaS to create certain policies to comply with the provisioning process, which goes beyond just segregation of duties. It’s critical to protect the information they have from getting in the wrong hands. They could reduce their cost of ownership overall and improve their controls and policies by implementing the ability to review, update, prepare, review and update changes to their roles and role design, which is the root cause of many entitlement creeps. They were also able to accelerate their approval process. The faster you can get access to the correct information you need, the faster you can be productive in doing your mission, which, in the case of our customer is to protect the US against threats.
By using SafePaaS you can dashboard ID governance. SafePaaS provides a single dashboard with all your critical key performance indicators or your identity governance in one place. These dashboards allow you to drill down into it, so if you want to see a certain user or certain role or certain privileges, you can see how many open issues you have and what you should do to resolve the issue. Our rules engine enables you to define those policies that these results you can see are based on. The dashboards are based on the analysis that's done by selecting the rules.
You can build your own rules or use the rules that we have built for hundreds of customers over the past 15 years, including the ones that have been tested by major audit firms. All that information is embedded into the rule.
However, these kinds of access governance exercises can lead to false positives. Whether it's a personalization of a system or customization or some other ways, you've already implemented controls, embedded those into your ERP or business-critical applications, you can mark them up as exceptions or corrective actions if they’re work in progress so that you're not burdened by the false positives component. That's where you should be very careful in selecting the modern Identity governance platform because you've got to be able to prevent that and then having a good audit trail so people can't get in and change your policies which is where a lot of risk happens. Have a good history of all the rules and what has been added, what exceptions have been made…
Once these rules are set up and you're ready to go, you’ve deployed the solution, integrated that with either your IDM system or your ticketing system or both or whatever the scenario is, now you're ready to turn it over to the users where the users can simply come in and request access. That access limits their ability to even ask for access by a couple of things.
One is the access groups. The concept of access groups is for example, I only want my finance employees in Dallas to have what they can possibly access in Dallas. I don't want them to even see the access in UK for example. I don't want them to be able to just even try to access that because that's outside of their organization. Their organization is here in Dallas. I shouldn't be able to ask for access to a supplier, a bank account in the UK if I'm based in Dallas. This is a more modern concept that most of the traditional IDMs don’t have, because many are basically that you access whatever you want. You can then enable Firefighter - privileged access. If I'm privileged, I'm a user that wants privileges that are beyond the basic what would be called birth rights in this industry - to be able to put through my timesheets, and send my expenses might be my birth right as an employee of the organization but to be able to create a supplier and pay that supplier is a privilege that is granted to a limited number of people in the organization. An even higher elevated privilege would be “keys to the kingdom”, which is “I can basically go anywhere in the application”. If you want a higher level of privilege, and as customers you can decide what that is, you’ll want to be able to enable the firefighter option. The firefighter then starts to monitor what they're accessing once they log in. This helps protect against someone either through a cyber security attack or through nefarious means. This higher privilege can be then ghosted by someone that you don't recognize and can perform a damaging transaction. By having monitoring around elevated privilege, you can prevent cyber security risks that are otherwise exposed. Even with a good basic identity governance system, you don't have that granular level of protection against the data. Cyber criminals take advantage of the organization business-critical application when this happens.
As people are coming in with high privileges trying to change a bank account of a supplier, I can catch that. Where did they come in? Who are they logged in as, what did they change and when? I can workflow that over to my head of procurement or head of security or a combination thereof up to whoever you want to include in that chain of events to alert the organization. This will prevent, for example, someone outside or coming into your network through that email connection, which is now giving them access to change the bank accounts. We have now a monitoring capability added to your ID governance process, which the traditional Identity governance products, tools and solutions don't offer. If you don't look at your data and you just look at the ID you have you've only solved half the problem. Half the problem in the risk business means you haven't solved it. It's all about completeness. You really need to think about protecting your data when it comes to protecting your identity.
How do you protect data?
At SafePaaS, we have created an object library of all the high-risk objects. We have a catalog of hundreds of objects that we think are high-risk based on risk events we have seen, our auditors and external auditors have notified. This gives your organisation a head start, so even if someone gets into your system through a cyber process, such as get access to a bank account, as soon as they try to conduct a transaction, a notification will be sent. The alerts will go throughout the enterprise and you will be able to catch it and protect it.
The process is all workflow. You can have multiple escalation levels. You can also have an audit trail that your auditors can see on their dashboard. Your CISO can see it. You can build it out and capture the response to see if they are responding. You can also de-escalate things.
We identified the threat, we de-escalated that, we could remove that user from the system or whatever the remediation was that your IT security group did. You can de-escalate things as actions are taken. SafePaaS captures this, so, when your CFO or CEO is asked during the board meeting or stockholder meeting what attacks occurred? What have you done about it? Who did you inform? You have it all logged here in this SafePaaS workflow enabled application. We all know that companies are going to get attacked. The question is, what are you doing when somebody gets in your network to protect your data and not just your identity? Knowing identities is half the battle.