Data-Driven Decision Making for Identity Security

In today’s Zero Trust world, where the principle of least privilege is ubiquitous, enterprises are struggling to balance security while simultaneously enabling a highly agile business environment. There has always been friction with security and making highly specific security decisions quickly and efficiently contributes to this.  Moreover, decision-making in enterprises exists on a spectrum from completely manual to completely automated. Regardless of where your organization resides on this scale, you are moving more and more towards automation--whether you know it or not. The real question is, as your business becomes more agile, how can you keep your security posture from falling off a cliff?

Traditional security tools can help with decision-making, but oftentimes there isn’t enough data to automate this decision-making process, or there isn’t enough confidence with the data that does exist. This results in a lot of manual effort, which cannot be supported by overworked and understaffed security teams. The solution to this challenge is more data; the more data you have, the more informed any automated decision will be to grant access (and specifically which type of access). Thus, from a Zero Trust standpoint more data is almost always better, and as we move towards a more secure enterprise environment, it will be essential to draw on data from numerous sources, including access requests, authentication, authorization, session activity, user behavior, etc. The more data, the clearer the picture - the clearer the picture, the safer and faster the decision.

But where do we collect this data? The answer is, you already have some of it - you just aren’t leveraging it. The data that your existing identity and access management solutions are collecting while they are continuously monitoring user access and activity is invaluable.  This data might include things like login times, login locations, associated roles/access, etc.  But the marginal benefits of additional data, which might initially seem irrelevant, should not be underestimated.  For example, suppose we gather average session data for users, which on its own might not be predictive of risk.  It could be that longer average session time combined with administrator access is the single most predictive measure of malicious behavior, but if we don’t bother collecting the data, we’d never know that.

The upside of collecting and consolidating identity and other data is that machine learning tools can continually analyze this data to search for new patterns that enable more informed decisions. These tools are capable of learning not only which data is valuable for risk assessment at any given time, but also how to apply that risk assessment to make informed security decisions.  And through more informed decisions comes more automated security, which enables business agility. 

At Broadcom, we are focused on a future state where all data inputs - from authorization, access requests, authentication, session monitoring, and contextual user behavior - are used at the business level. Symantec’s Global Intelligence Network (GIN) is one of the largest civilian data repositories in existence, providing an extraordinary amount of data to inform security decisions. As the mindset of security has evolved, we are capable of making much more granular decisions with a greater level of context, creating and enforcing policies that are highly contextual. We are evolving beyond identity, because the data we gather allows businesses to function at the next level.