Description: User access rights can be created from a number of sources/managed endpoints. User access rights can evolve over time and go undetected due to changes in roles and must be properly audited, managed and revoked to ensure compliance. In addition, continuous discovery can detect accounts created outside of defined process or orphaned accounts that need to be mitigated. If orphaned account is assigned privileged access rights, refer to security outcome titled “Privileged accounts and entitlements are removed through governance-driven de-provisioning.”
Benefit: Reduces the threat landscape by limiting the abuse of over-privileged access or invalid/obsolete accounts for the purposes of access. Detecting and automatically resolving policy-violating account access to maintain continuous compliance.
Watch the deep dive webinar to learn more about this security outcome.
Implementation Approaches
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
- DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
NIST SP 800-207; Zero Trust Architecture
- 3: Continuous diagnostics and mitigation (CDM) system
- 3: Data access policies
| Title | Local Software Agent |
| Technology Components | Access Management (AM) Identity Management (IM) Identity Governance and Administration (IGA) |
| Description | Software agent is installed on every target system in order to continuously monitor and report any new access created or account. Data is sent to a central management console for easy admin viewing, reporting and policy enforcement. |
| Pre-requisites | Target systems must local software agent installed Target systems must have integration and connectivity Role and entitlement catalog has been built and populated Approval process is defined for each role and entitlement Attributes and policies are defined providing conditions and constraints for access Service accounts for authentication to access management tool with rights to assign access |
| Member Companies | ForgeRock, Okta, Ping Identity, Remediant, SailPoint, Saviynt |
| Title | Agentless discovery via API |
| Technology Components | Access Management (AM) Identity Management (IM) Identity Governance and Administration (IGA) |
| Description | API needs to exist on every target system and integrated with IGA platform in order to continuously monitor and report any new access created or account. Data is sent to a central management console for easy admin viewing, reporting and policy enforcement. |
| Pre-requisites | Target systems must have API capabilities Target systems must have integration and connectivity For cloud applications, CASB is utilized to discover access changes or account creation Role and entitlement catalog has been built and populated Approval process is defined for each role and entitlement Attributes and policies are defined providing conditions and constraints for access Service accounts for authentication to access management tool with rights to assign access |
| Supporting Member Companies | ForgeRock, Okta, Omada, Remediant, SailPoint, Saviynt |
