One of the principal benefits of implementing a modern Identity Governance and Administration (IGA) solution is reducing the need to manage user identities manually but do so through automation. Organizations must assign roles to users so they can be effectively grouped and granted access and permissions based on the group or groups to which they are assigned. In this post, we will explain how role mining enables organizations to gain the role insights necessary to mitigate the number of users with unnecessary access and excessive permissions throughout the identity lifecycle, reduce the risk of security breaches, and accelerate least privilege.
Why have roles?
Identity managers in any organization must manage the massive resource assignment burden in their enterprises, which can take days. In legacy systems, a central IGA team crafts roles based on their specific business understanding. This often leads to overlapping, duplicates, and complete subsets of another role. Over time, this approach does not effectively manage role models drift as the organization’s needs change (e.g., M&A, personnel changes, divestitures, etc.). Instead of a single assignment list of entitlements, figuring out who is like you and creating roles that operate as a grouping of necessary assignments is a more effective approach. Since roles change throughout the user identity lifecycle, managing them is an ongoing process. When identity managers deal with potentially thousands of users, managing them manually is error-prone and not scalable.
The challenge of over-permissioning and unnecessary access
Omada’s research report State of Identity Governance 2024 revealed that more than 90 percent of those surveyed are concerned with the risks of identity-related cybersecurity threats and 78 percent believe employees have excessive access. The data show that a high proportion of IT professionals believe their organization has over-permission access, so it is hardly surprising that nine in ten are concerned about identity-related security threats. Roles in organizations that expressed the most concern about identity-related threats are senior managers (CIOs and CSO/CISOs), with more than 76 percent reporting they are “very concerned” and more than 18 percent “somewhat concerned.”
While Role-based Access Control (RBAC) is not a stand-alone solution for enterprises that must reduce incidences of individual users having access to applications and data beyond what is sufficient for them to do their jobs, it does enable identity and governance managers to create an environment from which they can gain the necessary insights to use role assignments to help inform the process.
What is role mining?
Role mining is a critical step to establishing a better RBAC. It helps identity managers improve access control by executing a process that discovers relationships between entitlements and a user’s job role. Role mining enables IGA managers to analyze mapping access to data and systems and determine if users in an enterprise have sufficient access to the applications and systems they require to do their jobs. After analyzing this mapping data, they can modify permissions to support the principle of least privilege. Role mining is widely regarded as the most effective process for gathering relevant intelligence about the user permissions and entitlements necessary to perform specific roles in an organization. When executed successfully, RBAC can also help reduce complexity during the onboarding process by assigning birthright access and entitlements by function, role, or role set and enabling new hires to be productive when first hired into a new position.
Role mining is critical to identity lifecycle management
After someone joins the organization, it is common to expect that over time they will hold multiple roles. This can be dangerous for organizations as, when employees change departments, they should naturally only have access to systems they need for their new role. To ensure ongoing productivity, they may need access to a new set of systems and data to perform their newly assigned tasks. Without automated role mining, the role management process is time-consuming, costly, and error-prone. Identity lifecycle management based on a user’s role in the organization ensures that employees are provisioned with proper access to the proper resources such as the directory service, email, shared cloud drives, and application services.
Using role mining to gain role insights, the organization can see identity data in independent systems within the IT environment, and then use connectors to transfer data between each of those respective systems and the IGA solution. This enables effective management of access rights as employees, contractors and others join the company, shuffle between departments, change roles, or depart the organization.
Machine learning (ML) capabilities within a modern IGA help identity managers by revealing patterns in resources that different user identities share. ML performs automatic and on-demand calculations to ensure up-to-date roles that keep up with changes in the organization while maintaining clear delineation between roles to avoid duplication and overlapping. Automated role insight with ML streamlines the certification process on an ongoing basis by creating an optimized role model that reduces the number of questions leading to higher quality answers and outcomes and enabling identity managers to handle role model drift much more effectively.
It is difficult to imagine the time-saving benefits gained from implementing role management and role assignment without a dedicated, proven modern IGA solution backed by robust technology that can surface insights around access. Gaining role insights effectively empowers identity managers to optimize the management of existing users and establish birthright and core functional roles when onboarding new users. It eliminates the need to rely on people-generated actions and manual processes to reduce the number of over-permissioned users and incidences of credential stealing and lateral movement that may eventually result in a costly and labor-intensive cybersecurity incident.
Using a modern IGA like Omada Identity Cloud effectively automates user role discovery and role optimization to reduce the amount of manual work to create and/or update them. Omada uses an intelligent engine to analyze users’ access needs and then suggests optimal roles. It is a data-driven approach that determines the right fit, increasing efficiency and maximizing user productivity from the beginning. This innovative approach simplifies role discovery, lowers complexity, and heightens security. The result is a streamlined access management process that enables faster certifications and reviews as well as upfront assignments and continuous optimizations of roles throughout the identity lifecycle.
To learn more about how Omada helps provide role insights, contact us today!
