Who Used those Access Rights, How?
The natural first question to ask when discussing Identity auditing is,
Who has access to what?
This question is naturally followed by,
Who granted those access rights, when?
More of my customers are asking a third question,
Who used those access rights, how?
The first two questions address the assignment of access rights to individuals; the third question addresses actual use of access rights after assignment.
Oracle has excellent tools to address the first two questions, but we currently lack a good solution for the third.
Why is this third category important? Some things my customers ask for are:
- Which users did not use an access right during the past quarter? They may not need that right at all.
- What patterns of access can we find? This may help discover roles for provisioning and attestation.
- What access attempts are anomalies? This may help identify and remediate fraudulent use.
- Where are potential vulnerabilities in my identity administration and access control methods?
So, where can we find solutions?
I have been impressed with a small startup, Veriphyr, that provides:
“an on-demand, pay-per-use analytics service that discovers user access vulnerabilities and privilege abuse on mainframe, midrange, Linux/Unix, and Windows servers. … Veriphyr analyzes identities, activity, and privileges to expose access weaknesses that enable insiders and intruders to capture, leak, or alter data through breach of systems, applications, databases, and networks.â€
There is a broad category of Security Information and Event Management (SIEM) systems that address this area. In the Gartner Magic Quadrant report for SIEM systems that I downloaded from Q1Labs website, Gartner defines this market segment as:
Security information and event management (SIEM) technology provides two major functions for security events from networks, systems and applications:
- Security information management (SIM) – log management and compliance reporting
- Security event management (SEM) – real-time monitoring and incident management
SIEM deployments are often funded to address regulatory compliance reporting requirements, but organizations should also use SIEM technology to improve threat management and incident response capabilities.
Three companies in the leader quadrant of the Garter report are ArcSight, RSA and Q1Labs, but a total of 20 companies were covered in the report. I am by no means a SIEM expert. I have no idea whether Oracle will get in the SIEM game (and I couldn’t tell you if I did know), but I believe this is an important area for our customers. It will be interesting to see what transpires.