As more organizations adopt SaaS applications to meet new business demands more efficiently, they need to address insufficiencies in their identity management strategies and take decisive steps to improve them. For many organizations, quickly identifying and managing access using manual processes becomes unsustainable as they onboard more SaaS applications and more users. The challenge compounds through the identity lifecycle as users change roles, leave the organization, etc. Addressing this challenge today and in the future requires organizations to embrace a modern Identity Governance and Administration (IGA) solution. Establishing the right roles-based access using a role-mining exercise is a vital step in this process. But how does one do that efficiently and effectively?
In this post, we’ll explain how role mining works and why it helps improve overall security posture. You’ll also gain insight into how emerging technologies like artificial intelligence-based machine learning help automate role mining and make it easier and faster for IT administrators to manage access and compliance policies in response to changing business requirements.
What is role mining?
Put simply, role mining is a process of discovering relationships between entitlements and a user’s job role. Role mining enables the IT administrators responsible for identity governance and administration (IGA) to analyze mapping access to data and systems and determine if users in an enterprise have sufficient access to the applications and systems they require to do their jobs. After analyzing this mapping data, identity access and governance managers can modify permissions to support the principle of least privilege. Role mining is widely considered the best way to gather intelligence about the user permissions and entitlements that are necessary to perform specific roles in an enterprise. When performed correctly, a role can also help to reduce complexity during the onboarding process by assigning birthright access and entitlements by function, role, or role set and enable new hires to be productive when they are first hired into a new position.
How effective role mining contributes to better cybersecurity
Data collected for The State of Identity Governance 2024 showed that unnecessary access to systems and applications and overly permissive accounts are a widespread concern in most enterprises. Overall, more than 72 percent of IT professionals surveyed agree that people in their organizations have unnecessary access to assets or are over-permissioned. For organizations using legacy or in-house-built IGA systems, this number jumps to nearly 78 percent. This troubling trend in access management is probably the principal source of concern about identity-related threats and is likely a significant reason for identity security breaches, compromised user accounts, and hackers gaining unauthorized access to sensitive data.
The role mining process is a critical aspect of Role-Based Access Control (RBAC) because it helps IT administrators improve cybersecurity by mitigating the proportion of users that have access privileges beyond what they need to do their jobs.
How role mining works
There is not a single role-mining technique. In general, there are a couple of role-mining methods. These are capable of effectively mining roles, consolidating roles, and facilitating a more structured account access management process.
The first method is based on data. In data-driven role mining, identity access and governance managers mine users’ activities and relationships to reveal insights into access patterns. Data-driven role mining tools look for similarities between user activities across the environment to create groupings of user roles based on logic. Data-driven role mining offers a more accurate picture of what a technical role, business role, etc. should look like in an organization. It is an effective method for managing roles with common permissions. In instances where there are substantial anomalies and it is difficult to fit users into a logical pattern, this role management technique may not be as effective.
Another approach is for identity access and governance managers in an organization, with the support of business leaders, to develop templates to create roles. When administrators add users to the system, they assign them to a previously created role. This approach is relatively quick to implement because there are already-created roles generated and role discovery is already done. It enables administrators to select a role, edit and save a role, etc. easily. The downside of using this approach to manage business roles is the elevated risk of giving users higher privileges than they need because there is an insufficient number of roles templated or a created business role does not reflect the true needs of every user assigned to it.
Organizations may also empower department or business unit managers to define role models. In this process, each stakeholder group engages in mining job roles to identify role candidates and make recommendations based on user-activity relationships within their specific areas of responsibility. This creates a more accurate matching of privileges and permissions to user requirements, such as grouping technical roles with common applications and systems access requirements. This approach can become problematic when users in different departments have, for example, identical job titles but dissimilar roles in the organization. In that instance, users would have the same permissions but not the same role requirements.
How role mining results in lower impact from account credential theft
The State of Identity Governance 2024 reported that more than 90% of IT and business professionals are concerned about identity-related cybersecurity threats. Specifically, they are most frequently concerned about account credential theft; with malware designed to steal credentials (87 percent), compromised user credentials (86 percent), and unauthorized access to sensitive data by external attackers (85 percent) topping the list. This amplifies the importance of identity management and ensures that organizations can effectively manage and permission user accounts at all access points.
There are many advantages to using role-mining tools to ensure more comprehensive account provisioning and reduce the impact of account security credential theft. Role mining helps you better match a role’s permission and security needs by providing access to just what a user needs to do their job effectively matching entitlements to their role in accordance with the principle of least privilege. By doing so, the impact of attacks on identity from credential theft is reduced significantly. Role mining also affords user accounts transparency. For example, the system helps detect accounts that should no longer be active which further reduces the attack surface.
AI access control based on machine learning in role mining
The role mining definition is changing with the emergence of artificial intelligence (AI) based machine learning (ML) and its impact on Role-Based Access Control. Artificial intelligence based on machine learning provides bedrock technology on which organizations can automate identity governance. AI, augmented with rich data, enables IT managers to have a 360-degree look at all aspects of identity management. The result is streamlined role mining as well as other IGA use cases like access requests, and access review intelligence. Using AI, governance and access managers no longer need to manually analyze masses of data, enabling them to proactively identify access risks and give critical context to facilitate quicker decision-making. AI can accurately identify excessive privileges and provide confidence scoring that teams can use to make provisioning decisions and turbocharge existing IGA processes.
AI-based on ML provides deep learning, clustering, and natural language processing techniques to identify and categorize various business roles and their associated access privileges and resource entitlements within an organization. Process mining, time-series, and sequential pattern mining help discover the various business processes within an organization and their associated access and resource requirement patterns. Unsupervised/semi-supervised learning and generative predictive analytics can detect and predict user access and user behavioral changes within an IT system to inform dynamic access change recommendations. Adversarial machine learning and anomaly detection identify suspicious, risky, and anomalous user behaviors in an organization’s IT system.
These technologies make it much easier for IT system administrators to uphold the policy of least privilege in the face of evolving requirements; enabling them to provide sufficient access to the applications necessary to perform their work while quickly blocking unnecessary access to combat identity-related security threats. Using AI based on ML, IT administrators can automate systems to detect over-permissioned and non-essential access. Identity governance uses advanced analytics to predict, make recommendations, and enforce changes to users’ access privileges and entitlements. The principal benefit of broadening, limiting, and adjusting access based on employees’ changing business roles and job execution patterns enables greater system security and enhances employee productivity.
Omada brings real-time readiness to role mining in identity governance
The State of Identity Governance 2024 revealed that nearly four in ten IT professionals and business leaders consider AI based on ML for assistance in role mining a top functionality to have in a new IGA solution. As more organizations see the role AI based on ML plays in automating role mining, that figure is destined to rise. As identity-related cybersecurity threats become more sophisticated, having AI-driven role mining to quickly identify roles will evolve from “nice to have” to “must have” technology. Contact Omada to see how we can help you realize the potential of making AI based on ML for role mining a driver of your organization’s IGA strategy.