Description: Security related alerts or events captured by systems indicating that a potential breach of policy has occurred should result in the violating identities access, undergoing a full re-attestation in an expedited manner.
Benefit: Organizational exposure to defined policy breaches is monitored and reduced. Future potential breaches are reduced due to proactive attestation.
- PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- PR.AC-3: Remote access is managed
- PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
|Title||Security Monitor Triggers Attestation|
|Technology Components||User Entity and Behavior Analytics (UEBA)|
Security Information and Event Management (SIEM)
Identity Governance and Administration (IGA)
|Description||Systems in an organization’s environment that have some degree of security monitoring capabilities are integrated with an Identity Governance solution that is capable of initiating identity-based attestation/certification campaigns. A security policy is defined and applied in the monitoring tool. When Monitoring tool detects a policy violation based on user activity – an alert is raised and details of the alert is picked up by the Governance solution. Based on the policy in the governance solution, it can initiate a full attestation of user entitlements/permissions associated with the Identity or with the resource that generated the alert. User cannot continue to violate policy based on remediation of access driven through certification. Additional potential violations are reduced if additional access is removed during the attestation.|
|Pre-requisites||Monitoring tools in place|
Organization specific security policies defined
Certification/attestation policy defined
Communication from monitoring to governance platform to trigger possible remediation
|Supporting Member Companies||ForgeRock, Omada, SailPoint, Saviynt, SecZetta, Thales, ThreatMetrix|