Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Making sense of user access - from technical nonsense to business understanding. Bridging language

(Patrick Parker)

P: Here to talk about adding intelligibility to access management. Activity reporting of what they’ve been doing from getting from a technical into something that is mapped into the concept that is understood by the business. We need to grant compliant access, positioned or role appropriate, partner vs and admin, access is appropriate enforces and adheres to your company’s policies. when the risks are known and mitigated. How do you define compliant access?

Next slide - Barry White, a view of someone certified, it doesn’t make any sense to me. It might be ok and I don’t know the consequences of what I am granting them access to do. the process to please the auditors, the reason for that is that at the tech level, the permissions in your system, in AWS, they are unintelligible, they don’t mean anything if you look at them. We don’t know what that allows you to do. The roles aren’t any better. NEXT SLIDE What does that mean to an auditor, to someone seeing, is this ok? Is it compliant? Betting everything on roles is a bad bet NEXT SLIDE limited access role, don’t think about I, it could be granted to delete data if you don’t have visibility into the rights, then you cant trust the role. the role’s access can change at any time. you don’t know, so you are just reviewing the role access level is not helpful.

How do I know when I look at someone’s access that it’s equivalent from a business perspective? I would instantly think that that doesn’t make sense at all but I can’t really be responsible. What can you do?

Next slide, if you look at IAM, in general, the business needs to operate how the business runs. They should not have to change how they do business whether you bought sales.com or using HubSpot, IAM needs to be in the middle acting as an anti-corruption level, for business to see the business level stuff, and there to be a way to translate to the technical stuff. The business should be able to say that they want to change and it shouldn’t cause the change of all the roles. It should be acting as a translator in the middle. If we look at how to break it down, all organizations work in business processes. NEXT SLIDE Within a business process, there’s a series of steps that are performed to complete a business process. Many of them are digitally transformed. You require technical assessments. The idea of the function is the missing link that can link something that makes sense to the business and something that makes sense to the IT systems which will enable you to perform that function.

The concept is that in general, you need the ability to understand the business specialists, what do we do, what are the functions that perform the processes, and the IT people who implement the systems, that there are function mapping, but roles are a blackbox, so you can create new roles that have the same permissions so if you map it at the low level it can be a mess. you have to map it at the right level. You can resolve it to which functions can this user perform, what are they allowed to do.

If you do that you get a different view I look at Barry and I can’t say what he is allowed to do. Okay so Barry is a supply admin and he can purchase orders, I can also see that he can delete Azure data, manage tenant clusters, the behind the scenes you can see who granted him the access, all of that really happens at the function level, at that level is the level that can be measured and understood. The proper place to define your risk policy, the traditional example, if you create two policies, create a purchase order and make purchase orders, so function level mapping is important.

Rainer: Unless someone is intentionally attacking the system you wouldn’t have a new role.

P: But if they request the role how do you know? The engine would know if there’s already a redundant role.

R: To formalize, there are models where you establish a hierarchy, from the extreme position that you have a specific job title which has a fixed set of roles, which is met to some application to some more elaborate systems where you don’t have a specific job titles and then you have some business roles, task base, that’s usually a strict hierarchy. I see here the process and the function. Is this the classic mapping?

P: Behind the scenes is the mapping. This automatically gives. If you give access to a role, you will see exactly which functions you are allowing this role to have. You don’t use this to delegate.

R: The tool must somehow understand the support.

P: The engine will use this to assign this to discover whether this will make something valid for someone.

R: You would go right from the tech level to wm manager, it would be rather to make the ad roles. It would be a task for developers. That would be the input for any role modeling.

P: They think task-based. And they define task-based roles that can do these tasks. Those really do that and they publish that to the business. Those are the individual units that they bundle into business roles. The best approach is the people define which tasks can be performed in this application. Each persona needs a role that includes the ability to perform these tasks. When you look at the role and see, oh, they can do these tasks without looking at the technical environment.

Radovan: This is what every good IDM does. Right?

P: You’re granting those tech entitlements, but in that case, you rely on the person that designed it to have titled it properly.

The functions are writing specific which are vendor system-specific. They are the same bundle of rights for google GCP and the same bundle of rights in IC2. If you define a virtual machine and add Azure support, if you add the same rights for google GCP, you know who can manage virtual machines. They are not company-specific but global specifications. You create one set of functions.

P: They are not company-specific.

R: But they usually are. There has to be some level of granularity. You wouldn’t want to create a function that says read disk. At that point, you should learn the rights if you want to do one right to one function.

P: You try to ship 80% of what covers but if they can’t define their own functions, they can make it more granular.

R: If you try to apply risk principle then this won’t really help.

P: Let’s say someone needs to go in Azure and you need global admin, but for this session, I need to do these three things but I need global admin so with this concept you need privilege level to be global admit just to do this, you get a start time and end time and you get this access. Reads it back and maps it to the function, and gives it to the user, so if you do something that you weren’t allowed to do, there would be an alert raised and they did something that they weren’t allowed to do.

R: The level of granularity is not for everybody.

P: In the role mining you’d need to check what overlaps, you are getting different permissions but getting the same result, where you can see the two candidate rolls and diff by attributes, but also by resulting functions that it would grant. You can compare the roles form a risk support perspective.

R: Is the role for a specific asset so e.g. if I had a testing environment but an admin, but admin in some other environment, that’s a problem. So roles have to connect to the environment.

P: You have a local function, purchase order in this oracle instance, they can have different risk scores and diff risk mitigators. R: That means that they are not reusable. but you connect it to the local to have human routing to risk mitigation. Using this in the catalog they can browse by business processes. it will show the business function related to that process. You can filter the roles that are available because you could see which roles allowed them this. Otherwise, they have to read the role description.

If you are trying to say that they are reusable for everybody, I can’t agree with that.

Which virtual machines?

P: You are an accountant, to know quickly, does that smell right or smell bad?

R: If you are willing to sacrifice the principle then yes, that may be a way to set up your system quickly.

People owe the permission because they don’t understand. If you know the relationship between the function and the rights.

The manager understands the business functions.

Rainer: It’s about risk mitigation. You cant do privilege on a perfect understanding level. It’s a tool adding a level of better business understanding with another tool and you have to balance.

Radovan: What I see is a danger that this is the least privilege and they will wipe all gaps between least privilege and to see what the risk is then to just pretend that this is fine.

This is a false sense of security.

P: You don’t expect to understand the recipe in a restaurant, people don’t want to understand nesting.

R: I see this mechanism as rubber stamping but not really improving the actual situation.

They are moving to a preselected but can vendors standardize and have an easier way to implement and sharing other stuff?

P: There’s a whole consulting business for this for ASP. It would be great for applications.

There’s this thing, talk to the guys from salesforce.

Radovan: This is all so much more complicated than this.

P: Do you see any opportunity for this?

Tech people know the system and they struggle to communicate up. We track function usage with this s you can see which functions that they have in this role that they never use.

One thing that we think is that context is important, maybe you have policies, you can do this task but only in the office and no from home. There can be other contextual, anomaly detection. you can have one user but if you add 1000 users in an hour, then that’s strange. Do you see this as a direction?

P: On the abac side you will be able to feed that but we are not really seeing this as necessary to be abac that you’re checking the execution of the function. Still thinking about that one.