Risk Management is a crucial part
of each organization. This is the process to identify and evaluate the risk to
avoid or minimize their impact. We also do Risk Management in IAM by assigning
the correct Risk Scores to each and every asset, data, resources, applications,
permissions, roles & identities.
Why do we assign Risk Score?
Assigning the risk score helps in
identifying the security value of the entity or information. This also helps in
assigning the accurate security measures to protect the information or entity.
For example, if an entitlement provides the privilege or admin access in any
system then we can assign the High Risk score to that entitlement and this score
can be used to trigger additional level of approval at the time of granting
access, or at the time of User Access Revalidation.
Every organization use thousands
or millions of entitlements and every user get access to hundreds of
entitlements to perform his/her job functions, so it’s difficult to run the
User Access Revalidation process for each and every user and for each
entitlement in the organization. If we assign the Risk Score with the
entitlements, we can run the User Access Revalidation process only for those
users who are having access to entitlements with High Risk scores.
Risk score can be assigned to
Roles as well. In an RBAC model, roles are tied with entitlements and risk
scores of entitlements are utilized to calculate the risk of roles. In a
similar way, risk score can be assigned to Identities or Users in an IAM system
based on the roles & entitlement they have.
Should we assign the same risk score to all Privilege Entitlements or
Roles?
No, we should not assign the same
risk score to all privilege entitlements or permissions and there’s a reason
behind for not doing this. Consider an example, there are three entitlements
i.e. Entitlement 1, Entitlement 2 & Entitlement 3.
Read
|
Write/Modify
|
Delete
|
Privilege Access
|
|
Entitlement 1
|
Yes
|
No
|
No
|
No
|
Entitlement 2
|
Yes
|
Yes
|
No
|
Yes
|
Entitlement 3
|
Yes
|
Yes
|
Yes
|
Yes
|
Based on the above table,
Entitlement 2 & Entitlement 3 are Privilege access but give different level
of access to users in the system. If we assign same risk score to Entitlement 2
& Entitlement 3, this means that impact of Entitlement 2 and Entitlement 3
are same which is completely incorrect. Entitlement 3 gives “Delete” access which has more impact
than a “Write” operation.
