From ‘oversight’ to the algorithm driven company

In last weeks contribution (Identity & Access Governance in the age of digital transformation) I was outlining the general picture, answering the question, what Governance is after all, what it means, when applied to Identity & Access, emphasizing the need to look at Identity and Access separately, and finally breaking ’direction' down, following the downstream path from strategy to executable rules. Today I will cope with how to make policies & guidelines actionable.

About the necessary underpinnings of a digital transformed corporation

When considering the quality of everyday management decisions in major corporations, the well-known Nobel laureate Daniel Kahneman found himself not exactly awed: “You look at large organizations that are supposed to be optimal, rational. And the amount of folly in the way these places are run… is actually fairly troubling.”

Even more worrying was the insight that this routinely making poor decisions did not correlate with experience, training and other factors usually considered having a positive effect. Rather the less encouraging conclusion was that this nearly unavoidable “noise” was the effect of the very human nature – the traps and biases we use to run into during our daily life, whether job or business.

And the cure? Well, Kahnemans advice is “Algorithms”. Let algorithms run the company? Yes! That's what he meant. As radical as this advice sounds, it is not an entirely new view. We have them since long. Policies & guidelines, Procedures & standards and Specifications & work instructions, representing a layer of abstraction each.

However these business rules are meant to be processed by humans – not by machines. They still need some degree of translation, interpretation and situational judgement. And even worse, they usually don't provide a complete set of guidance even for the majority of the “Business As Usual” cases.

While it still might take a while until we will see governance performed by robots (although in some companies it already might look like that), the operational layer of the traditional corporate pyramid can well be, and quite often already is, run in an automated way. Next target now is the Management layer, where less frequently decisions are taken to keep operation within the pre-defined policies & guidelines channel. This will be the battlefield where the success of the digital transformation, many companies lately decided to head for, will be archived – or not.
Nevertheless, giving “direction” needs to be expressed in a formal way. And it is still a good start for many corporations to fill the voids in the document pyramid, as shown in fig. 1.

It might be a disturbing idea which Kahnemann conveys, when he expects systems powered by artificial intelligence (AI) one day to be able to execute professional judgement even better than humans. For now however laying the necessary foundation as the necessary underpinnings for a (more) digitized corporation, will be already enough of a task for most of us.
So let's do our homework first.

Oversight starts with a simple question

Oversight starts with a simple question: Who has (had) access to which Resources?
Simple question – simple answer? Yes? No! Rather only few corporations are currently able provide sufficient evidence of their access situation as outlined below.


Let's first look at the ‘who’: usually you may think of (fixed term) employees. And indeed, providing them with the appropriate access to corporate resources causes headache enough and keeps hordes of colleagues, consultants, system integrators and auditors busy. However the subject behind the ’who' needs to be looked at more fine-grained. It can be other staff, like contractors or those with elevated rights like admins. It could be suppliers or customers and even their respective administrators in case some limited delegated administration is implemented. Increasingly non-human actors like other systems interact via more or less controlled APIs and need to be included into the access control focus. And finally the IoT age is dawning, bringing new challenges to the table, let them be the sheer number, the often external nature or the limited capabilities of those ’things'.

Has (had)

The innocent word ’has' can be broken down into sufficiently complex cases too. It is not just about listing all resources any digital identity has access too – now. Not just listing them by resource, by digital identity, by system, content authorisation level, or context exclusion rule. Also it must be immediately back-traceable why this privilege exits, who (person or policy) granted it and when last has been checked. For audit purposes or forensic investigations these answers have to be given for any chosen period of time, which legal and corporate retention rules permit.

Access to

What about the ’access'? Is it uniform? What a stupid question. No, it is not. Next to the trivial CRUD-access (Create, Read, Update, and Delete): There are risk-mitigating content-based access limitations in place, restricting access according to pre-defined authorisation levels: “You are allowed to close contracts up to 1 million US-Dollars.” Next to content, the context might add to the sensitivity, like: “Well, you might close that contract but not during your vacation, from a nightclub in Shanghai, during (local) night-time, using your private smartphone, which hasn't been updated to the latest security patch level.” The last example could even contain several policy violations. A third restriction is process based and prevents a digital identity from running a complete business process just by his/her own. Also known as Segregation of Duties (SoD) this risk minimizing step can be performed at administration time (static SoD) or at run-time (dynamic SoD). Privileged access finally is quite a different breed and should again be handled completely different, e.g. via granting completely monitored and recorded session-based access.

Which Resources

After talking about the subject of the access act, what about the object, the corporate ’resource'. The sensitive corporate resources, which need to be protected, are not the ERP-, CRM- or HR-systems but the underlying information objects, the employees, customers, contracts payments, … . They should be well-known, classified by their sensitivity, assigned into areas of responsibility and expressed in a formal model. As information objects don't interact by their own and are unable to protect themselves, access to them goes through a whole stack of systems, which are usually object of access control in lieu of them. This IT stack comprises, but is not limited to, applications as the most obvious part, but also middleware, operation systems, networks, telco-systems and physical assets, e.g. premises, as well. There are no logical – only practical reasons – why the entry of humans into buildings is handled by independent PACS (physical access control systems) and not by the access control systems, which shields digital resources.

Executing oversight for I&A Governance

When it comes to implementation of Governance usually 3 types of controls are considered:
  • Preventive controls
  • Detective controls and
  • Corrective controls
There is no question that it would be optimal to prevent any deviations from our policies, hence fully rely on preventive controls. This however would mean that the ’direction' part of I&A Governance would have got sufficient traction to rely on it. It further means that you have to declutter your architecture, mature your administrative processes to a high level of maturity and - as we learned from the introduction above – automate all administrative processes to a high degree.
As these prerequisites are rarely fulfilled, we have to rely on the second best set of controls, the detective ones, which belong to the oversight part of I&A Governance.

A few standard implementations of detective controls are required by major regulatory bodies and hence found wide acceptance. Detective controls therefore dominate the IAG processes. They should be gradually reduced in favour of preventive controls once the necessary preconditions are given.
The three top-level detective controls in use today are:
  • Reconciliation - Does the implementation reflect the intended state?
    This daily health check is only necessary, if the access definition is done on a different location (Policy Administration Point or PAP) than the policy decision (Policy Decision Point or PDP) and the policy execution (Policy Enforcement Point or PEP) and the target systems still maintain their native Administration Interface. In an architecture where there is (at least logically) just a single policy store, there is no need for this control; in reality however it quite often is.

  • Attestation - Is our decision still valid?
    Also known as Re-certification this regular (quarterly to biannual) check on validity just reconfirms the decision once taken during initial grant of the privilege in question. This check become necessary (and hence is required by regulatory bodies) as we don't have sufficient trust in our administrative processes, that they would properly, immediately and automatically react on change events in the real world and reflect them in the access structure accordingly.

  • Expiration - To limit risks for domains outside your own control.
    Expiration of once granted privileges is a widely underestimated and thus underutilised detective control. Its use is evident for granting access in the context of limited endeavours, like task forces or projects. Also in environments outside of the direct control, like vendor employees authorised via delegated administration, whose leaving and changing positions would otherwise go undetected. But also for regular employees on BAU tasks (Business As Usual) it would be beneficial and could even replace attestation. Prerequisite however is a proper implementation of time-out dates and a powerful workflow support.
One important point to mention is that I&A Governance is by no means an IT task. It is rather purely organisational. Therefore all decisions must be well understood and taken here by representatives of the business side. As this can only be expected when all access objects like roles, rules, privileges, or information objects are named and described in business terms, it is only a minor step from here to find the find and implement the appropriate business rules (Kahnemann calls them algorithms) to drive the process henceforth.

In these two postings I described the current status of what is expected of corporations to have implemented today. In my third and last part next week I will focus on the challenges lying ahead and what they will mean for us.

No comments:

Post a Comment