Description: Security related alerts or events captured by systems indicating that a potential breach of policy has occurred should result in the violating identities access being revoked in an expedited manner.
Benefit: Organizational exposure to defined policy breaches is monitored and reduced.
Watch the deep dive webinar to learn more about this security outcome.
Implementation Approaches
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
- RS.RP-1: Response plan is executed during or after an incident
- RS.MI-2: Incidents are mitigated
NIST SP 800-207; Zero Trust Architecture
- 3: The PE uses enterprise policy as well as input from external sources (e.g., CDM systems, threat intelligence services described below) as input to a trust algorithm (see Section 3.3 for more details) to grant, deny, or revoke access to the resource
| Title | IGA Approach for Remediation |
| Technology Components | User Entity and Behavior Analytics (UEBA) Security Information and Event Management (SIEM) Identity Governance and Administration (IGA) |
| Description | At least one or more monitoring tools must be in place – including SIEM, UEBA and other kinds of risk monitoring systems. IGA is able to receive triggers from these monitoring tools (push/pull) to react accordingly. Sample flow of an IGA Approach:A security policy is definedMonitoring tool detects user violation of this policyMonitoring tool creates alert/eventDetails of alert/event picked up by Governance solutionGovernance solution revokes user entitlements/permissions used in violation through certification or direct de-provisioningUser cannot continue to violate policy based on reduction of entitlements |
| Pre-requisites | Monitoring tools in place Organization specific security policies defined Provisioning (revocation) workflow defined Integration between monitoring and IGA process to trigger remediation workflow |
| Supporting Member Companies | ForgeRock, Omada, SailPoint, Saviynt, ThreatMetrix |
| Title | Access Management Approach for Remediation |
| Technology Components | User Entity and Behavior Analytics (UEBA) Security Information and Event Management (SIEM) Identity Governance and Administration (IGA) Access Management (AM) |
| Description | At least one or more monitoring tools must be in place – including SIEM, UEBA and other kinds of risk monitoring systems. Access Management is able to receive triggers from these monitoring tools (push/pull) to react accordingly. Sample flow of an Access Management Approach:A security policy is definedMonitoring tool detects user violation of this policyMonitoring tool creates alert/eventDetails of alert/event picked up by Governance solutionAccess Management solution restricts access (blocking, strong auth, etc) based on triggerUser cannot continue to violate policy based on reduction of access |
| Pre-requisites | Monitoring tools in place Organization specific security policies defined Provisioning (revocation) workflow defined Integration between monitoring and access management for access restriction |
| Supporting Member Companies | ForgeRock, Okta, Omada, Ping Identity, Saviynt, ThreatMetrix |
| Title | ITSM Approach for Remediation |
| Technology Components | User Entity and Behavior Analytics (UEBA) Security Information and Event Management (SIEM) IT Systems Management (ITSM) |
| Description | At least one or more monitoring tools must be in place – including SIEM, UEBA and other kinds of risk monitoring systems. Access Management is able to receive triggers from these monitoring tools (push/pull) to react accordingly. Sample flow of an ITSM Approach:A security policy is definedMonitoring tool detects user violation of this policyMonitoring tool creates alert/eventDetails of alert/event sent to ITSM solutionITSM creates ticket/work order to manually deprovision access/entitlementITSM can be integrated directly with the resources – or can be integrated with IGA/AM to finish the last leg as in approach #1 and #2User cannot continue to violate policy based on reduction of access/entitlements |
| Pre-requisites | Monitoring tools in place Organization specific security policies defined Provisioning (revocation) workflow defined Integration between monitoring and access management for access restriction |
| Supporting Member Companies | None |
