Recommendations
Overview
Inside recommendations, you can find all the information necessary for a correct analysis of the authorization status of users. Users are assigned an Incompliant Score relating to the discrepancy between their authorization status coming from the IAM/IAG systems and their actual behavior detected by the system by analyzing the application logs on which the user acts. The higher this gap, the higher the score assigned to the system, and the system itself will "recommend" actions to remedy these situations. Pursuing the principle of least privilege regarding the permissions granted to users is a fundamental practice for identity hygiene. It allows you to reduce the attack surface, which, if exposed, could be a vector for attacks by malicious actors.
Clusters & Incompliant Users
The two colored bars at the beginning of the view are a graphical representation of the clustering status of the analyzed user population. In the "Should be Clusters," there are clusters of users divided by authorizations: users authorized to access the same applications will fall into the same cluster. Individual user permissions are those configured in the IAM/IAG systems. In the "As is Clusters," users are grouped based on behavior. The authorizations configured in the company authorization systems are considered in these clusters. Still, the users' actual behaviors are regarded as the system analyzes them from the application logs. In the case in which the two sets of clusters differ significantly, it means that the discrepancy between the permissions configured in the IAM/IAG systems and the users' actual behavior is significant. Reducing this gap is a fundamental practice for identity hygiene that focuses on security and compliance.
By clicking on the individual clusters, you can get information about the population from which it is composed and the percentage compared to the total population of the cluster itself.
Continuing down the page, we can find the list of Incompliant Users sorted by Incompliance Score. Incompliant Users are those users the clustering system has detected have a large gap between their permissions and those they use. Simply put, they have more permissions than they use. In the preview card of the individual user, in addition to the personal data, we also find the Revoke number that the system recommends to us to pursue the principle of least privilege.
To access the details of the individual user, click on the corresponding card.
In the user detail view, we can find a graphical representation of the "as is" and "should be" clusters with the list of applications the user is authorized to access and the currently used applications.
The system continuously compares the user's authorization status to his current behavior, detecting unused accounts. Not only that but in the case of unused accounts, the system compares the user's behavior with that of his peers, producing recommendations that can be used for recertification campaigns in corporate Identity Management systems. From the result of this cross-analysis, the system could recommend revoking one (or more) particular accounts to pursue the principle of least privilege.
Sharelock can give three types of recommendations:
- Keep: when the account is regularly used
- Consider revocation: when the account is not used but the user's peers own it
- Revoke: when the account is not used, and the user's peers do not have it
Sharelock can facilitate recertification campaigns by producing ad hoc reports or integrating directly with IAM systems and triggering targeted certification campaigns.
In addition to login-based recertification campaigns to remove unused accounts, Sharelock can promote another recertification campaign in response to its risk detection system. The risk-based access recertification campaign is a proactive approach to improving identity protection and access security that Sharelock can trigger directly into enterprise identity management systems via its APIs.