

Creating a framework for detecting and remediating excessive system, application, and data access permissions
In an earlier blog, we discussed what identity access drift is, what causes it, and identified five tactics for detecting access drift. But tactics are not procedures. Today’s blog defines a strategic framework and procedures for monitoring, detecting, and remediating identity access drift inside an Identity and Access Management (IAM) environment.
Related: Defining IAM System Goals, Strategies, and Access Controls
Identity access drifts happen when an account’s system, application, or data access permissions unexpectedly increase and drift away from their authorized assignments (ex., a normal user becomes a security administrator due to a mistake in provisioning). Access drift can enable serious security risks and vulnerabilities, including data exfiltration, security breaches, and unauthorized access.
Access drift can occur for human identities (users) and for non-human identities (systems, machines, agents, bots, etc.).
Related: Risk Prevention and Remediation for Identity Access Drifts
Seasoft Security’s identity access drift framework is a work in process that identifies best practice steps to monitor for, detect, remediate, and document identity access drift issues inside an IAM environment. As shown in figure 1, the framework includes the following steps:
Continue reading for more information on creating your own identity access drift management framework.
Figure 1: Seasoft Security's Identity Access Drift Framework
User provisioning frequently uses manual processes that rely on Word documents or spreadsheet instructions, and often requires multiple siloed tools to provision a single user’s access rights.
Identity access drift is primarily enabled by two scenarios:
Related: What is Manual User Provisioning Costing You?
Implement IAM access provisioning for all systems to avoid manual provisioning mistakes and reduce identity access drift risk. Use IAM reporting systems to document regulatory compliance.
Create baselines for documenting standard approved permissions for all accounts with access to target systems, applications, and data. Baselines can be generated for roles, attributes, or groups.
Baselines provide a comparative basis for detecting identity drift. User access deviations from the baseline can be flagged as identity access drift within your IAM solution.
Baselines can be automatically or manually maintained in an IAM environment, including:
Access drift issues usually occur at the individual user account level rather than at the group level. Group provisioning minimizes access drift by immediately assigning and changing permissions for an entire class of users at one time, rather than implementing access controls for thousands of individual user accounts.
Transition towards role-based access control (RBAC) and attribute-based access control (ABAC). Role-based access control (RBAC) assigns permissions to predefined roles, allowing members to access only the resources and functions required for their job responsibilities. Similarly, attribute-based access control (ABAC) grants or denies access based on defined user, device, resource, and environmental attributes.
Related: Using Role-Based Access Control with Pre-Defined Roles
Compare current user access rights against baseline access permissions to identify, remediate, and document unnoticed identity access drift. Most IAM systems contain user access review (UAR) modules to help detect and correct user access anomalies and excessive permissions that create security and auditing risks.
User access reviews can validate access permissions for individual users across all IAM-defined systems or for all users with access to a specific system, application, data, or other resource.
Configure the monitoring capabilities in your identity and access management (IAM) solution, security information and event management (SIEM) system, or other monitoring tools to send alerts when specific role changes or access assignments occur. Common monitoring scenarios include:
Continually improve this framework by adding additional IAM and other identity access drift management capabilities. Other capabilities for identifying and remediating access drift include:
Contact Seasoft Security for more information on using innovative tools like Tello IAM to reduce identity access drift. IAM experts can perform an organization-specific assessment to help modernize your user provisioning environment and secure your systems through improved access drift management.