Blog

SPHERE Insights: Entitlement Review Blackout

May 10, 2020
EmailTwitterLinkedIn

SPHERE Insights is an ongoing column written by various members of the SPHERE team, highlighting unique viewpoints and expertise. This article comes to us from our fearless leader, Rita Gurevich.


There is a simple, yet critical issue that exists in IAM-land: End users do not respond to their Entitlement Reviews.

To confirm identity, IT Security and Infrastructure teams deploy complicated Identity and Access Management systems like SailPoint as well as invest in other aging homegrown solutions but, regardless of these investments, IT managers continue to struggle to get their end-users to use these systems and answer the surveys for which they were designed.

The true irony lies in the fact that upper management KNOWS people can’t or won’t make decisions on who should or shouldn’t have access to the systems and it is entirely up to the lines of business to make the call.

No matter how logical the explanation, the business ALWAYS pushes back. Why is that?

There are lots of great solutions out there in the IAM ecosystem that are focused on the workflows IT organizations require for certifying access; including scheduled entitlement reviews or needing to do account recertifications on the fly.

The solutions offered have all the bells and whistles that an administrator would ever need – pretty e-mail templates, escalation processes, automated provisioning, role concepts; the list is endless.

Functionality aside, there is one major problem that these IAM systems just can’t overcome – Bad Data In = Bad Data Out.  An application is only as good as the data in it.

These applications work as designed when being supplied clean, pristine and refreshed raw data. But, again, ingesting quality data is a major challenge for any complex system and those that manage them. Unfortunately, at the end-of-the-day, the data quality is mostly out of their control.

Most of these tools pull user data from Active Directory that may be managed by another group. But permissions, ownership and data structure is complicated, comes from many disparate sources, and isn’t provided in a pre-configured package that is easily uploaded and displayed to business users.

Here is the reality: To be effective, there needs to be a solution that is wedged between the source systems and the desired end-state IAM workflows.

SPHEREboard collects data from the source systems first, this what we call our IAM Views solution.

There are 3 ways of retrieving the data:

  • One – go directly to the source system. For example, if you want Group Drives to be in your Entitlement Reviews, we will use our NetApp connector to grab entitlements and any other relevant metadata.
  • Two – use a solution that’s already collecting. For example, if you want local admin accounts to be in your access certification processes, use our Tanium connector that’s already grabbing that data.
  • Three – upload the files. For example, if you want your SOX apps to be reviewed quarterly, use our File Listener and File Ingestor and configure it to wait for your apps to drop files to a certain location (we set that up too!) and upload into the system.

Getting the data from the sources is just the start, as referential and contextual data is extremely important to any recertification or entitlement project. For example, IAM workflows always require accurate ownership. The owners are the business people who will have to certify access. The reality is most companies have incomplete ownership catalogs and, very often, conflicting information.

Where we provide value: Well, there is some common sense checks we do first. Is the Owner listed still at the company? In addition, when an owner can not be found, we leverage a host of proprietary methodologies and algorithms behind-the-scenes that fills in the gaps automatically.

Finally, data needs to be normalized and the presentation layer needs to be addressed. For example, if you want Group Drives to be certified by the data owner, every folder and file can’t be included in the review.  It’s just too much data to consume rationally.

Instead, we devised the concept of Collections. Our approach is to group folders based on usage, naming standards, permissions, etc. This helps quantify the number of people who need to be contacted to validate ownership effectively. We identify just the folder paths that are meaningful to the data owners and provide metrics on the entire data set. Equally important, the same normalization has to occur for any other asset in the environment. This step should not be underestimated.

Sounds great but how does it get packaged up and fed into the IAM workflows?

This is the final product from us – our IAM views. All the information and analysis SPHEREboard does with entitlements, ownership and any additional data that is required is placed into these pre-defined tables that are consumed by the IAM workflow system.

These tables are refreshed on a regular basis and the data quality is there and up-to-date. Now, business users see entitlement data that makes sense and they can provide relevant feedback to the business as intended.

Please feel free to contact me directly, if you want to know more about our IAM Views!

Stay in the loop

Join our mailing list and get notified of the latest SPHEREinsights