Augmenting AI in IAM
“In the here and now, artificial intelligence & machine learning — is still something new that often goes unexplained or under-examined. In the future, it’ll be so normal you won’t even notice”— The Verge, James Vincent 2019
Artificial Intelligence (AI), unlike traditional Identity and Access Management (IAM) domains, is under-examined and changing the shape of IAM. ‘Change is the only constant’ and IAM business is no exception to this rule.
Traditional IAM systems provide a static solution addressing the needs of automated user onboarding, password management, access requests and so on. Yet, they are not sufficient to fill the gaps arising out of the plethora of business changes occurring within an organization and its environmental changes. Because of this, organizations are exposed to major risks & compliance issues that are uncovered only during audits or certification campaigns.
AI uses machine learning which is used to gather current IAM posture and subsequently discover anomalies by analyzing identities and their associated behaviors. In contrast to having the business, security team and IT come up with static IAM models, AI makes use of algorithms to ‘learn’ how users behave & accordingly create a dynamic model that learns and adapts over time.
Let’s relook at a few legacy use cases of IAM incorporating the “I” in AI:
- Role-based access control (RBAC): Organizations tend to formulate policies at the start of an implementation but fail to anticipate changes and are not able to reap the benefits of RBAC in the long run. AI helps enhance the RBAC model based on what normal patterns look like for different job functions in the organization, assignments of roles, peer accesses and more. It can also monitor the current roles structure and their usage to recommend the unused roles to be decommissioned, duplicate roles to be merged, expand roles to incorporate additional access and/or split some roles into multiple fine-grained roles. The truth is roles must evolve to keep up with business changes and so should the access policies associated with them.
- Access Requests & Approvals: IAM vendors are able to categorize and associate risks to roles and entitlements; however, use of analytics can further help to improve the user experience by recommending appropriate roles to the end-users during access requests (rather than rubber-stamping) and give approvers the recommendations based on the risk scores and past revocations. Data of peer users performing similar job functions and overall churn of entitlements are a vital input here. AI also identifies which set of entitlements can be auto approved and are low risk. AI will help organizations move away from rigid birthright access policies and move towards incremental access based on users’ needs to achieve better alignment to the “least privilege” principle.
- Segregation of Duty (SoD): AI helps achieve better compliance by defining the access matrix and reviewing changes based on permutations and combinations by auto-discovery. Automatically adapt SoD policies based on trends in risk scores – This helps in updating the SoD ruleset, mitigating access risks, and setting up preventive controls.
- Authentication: In the authentication space, we use analytics to take benefit from contextual data and gradually moving away from knowledge-based authentication, eventually leading the goal of password-less authentication. Adaptive access control utilizes AI to provide context-aware access control that balances the level of trust against risk. Adaptive Authentication is the next generation authentication and has been a strong candidate for machine learning capabilities to detect suspicious user behavior.
- Chatbots: In recent times, financial organizations have been able to harness the capability of chatbots to address specific client requests without having to call or visit a branch physically. Likewise, chatbots could also massively help in user administration and elevate customer satisfaction. An AI-enabled chatbot will be a phenomenal step serving as an abstract layer that interfaces with underlying IAM products bringing-in immense value to end-users and business.
- Security information and event management (SIEM): Next generation SIEM ought to include AI capabilities that will assist in faster correlation of anomalies and accelerated responses to threats. The rate at which the threat landscape is evolving, SIEM capabilities need to matchup as well.
Adaptation of AI is becoming critical with new data breaches dominating the headlines every day. AI is one powerful weapon to help combat identity and access risks. According to Risk-Based Security, “more than 7,000 breaches reported that exposed over 15 billion records.” The likelihood of IAM’s success will be positively impacted by interleaving AI in its processes. As rightly said, “IAM Is a Journey, Not a Destination” (one of the key takeaways from the Gartner Summit 2019) – so pace up through this journey!
In love with the ever-evolving IAM domain for the last 12+ years of my career. Currently, managing delivery for key global accounts in the IAM space as a Senior Manager at Simeio Solutions.
My former experience was with Tech Mahindra where I transitioned into several IAM roles from being an Integrator to a security consultant and subsequently into technical project management.
Got excellent opportunities to grow in identity governance and access management verticals. Worked on greenfield projects as well as platform migration projects using a hoard of IAM products such as Saviynt, Okta, Forgerock, Oracle, CA along the way.
My educational background includes an engineering degree in Information Technology. Apart from work, I love traveling, I am an ardent follower of art and love exploring my culinary skills 😉
Yearn to explore IT Security further.