Download your copy of our State of Authorization: Playbook Edition Get it now »

Q&A: Auditing and Authorization

David Brossard and Matt Luckett discuss how policy-driven authorization can help improve auditing.

We recently sat down with our Chief Technology Officer, David Brossard, and Vice President of Customer Relations, Matt Luckett to discuss how policy-driven authorization can help improve auditing.

What are the most typical pain points enterprises experience when it comes to auditing?

David: The number one pain point I see is that existing identity governance and administration (IGA) systems give enterprises a false sense of security. They give this false sense by only doing audits on data they have available. If it is an audit on who has access to what data, that insight often doesn’t exist in a governing tool because it doesn’t take into account the data in each application, which are most often siloed. This means you must go into each application and compile different logs, if there even are any, to audit who has access – not an efficient process.

When someone reviews the permissions, they often let people have the same entitlements they have had for X amount of time. There is such a fear that removing entitlements will disrupt a user’s day-to-day job that managers prefer not to remove them.

However, that entitlement could give the user access to information that they use for malicious intent (or a malicious user has stolen the user’s credentials). There is little the company can do about that situation, which is what I mean when I say the IGA solution can give enterprises a false sense of security.

This is why the principle of least privilege (PoLP) is fundamental. With PoLP, a user is given the minimum levels of access – or permissions – needed to perform his/her job functions.

Matt: I often hear about a couple of pain points when it comes to auditing.

First, data is everywhere. Every application has its own audit data, which makes it difficult to investigate and cross reference user behavior across all the applications they interact with.

Second, the security operations center (SOC) team can’t keep up with all the data. In many cases, the team analyzing the audit behavior gets lost in a mountain of data and can’t figure out where the real issues lay or how to remedy the problems.

Third, application teams don’t have an easy way to report on who has access to what. They can call out the roles a user has, but it’s difficult to translate that into what resources a user can access. This becomes increasingly difficult as companies try to become more fine-grained with their legacy approach to authorization.

Finally, the auditors themselves have a nearly impossible job of decoding what each application owner provides them. The team has to try and parse through the roles, the meaning behind each role, look for role conflicts and then compare all of that against the users themselves. This combined with tight timelines and a changing landscape makes accuracy of reporting almost impossible.

What are auditors looking for from reports?

David: Auditing can be split into at least three parts, each with their own unique dimension that the auditor is looking for in the reports.

The first is the audit of who configured the policies so if someone has the wrong permissions the organizations can understand how these permissions were granted and by which stakeholders. Perhaps we could call this administrative audit i.e. audit of the configuration and administrative tasks.

The second audit is of what user got access to what information. With a traditional approach, organizations must rely on application logs to know what information a user has accessed.

However, with a policy-driven approach to authorization it is easier to leverage the authorization engine’s audit logs to keep track of who has access to what information. In attribute-based access control (ABAC), the authorization framework generates extremely rich audit logs that can be used not only for security but also for pattern usage, etc.. Let’s call this the authorization runtime audit log.

The third kind of audit focuses on the “what if?” or “who can?”. What can Alice do? Who can edit record #123? This is the basis for rich access reviews, which in turn enable recertification.

Traditionally, such reports have been primarily based on a role-based access control (RBAC) approach leading to relatively poor, hard-to-understand, and not reflective of reality policies.

Policy-driven authorization provides a unique approach because it ties in multiple attributes and uses a policy which can more easily be used to generate access reviews and tackle the “what if” question. This way the enterprise knows the right people are allowed to access the right information at the right time.

Matt: In most cases, auditors need to know that the right users only have access to the right information and that users haven’t been handling information against policy.

In what ways does authorization go further than other solutions when it comes to providing details relevant to an audit?

David: Axiomatics goes beyond what other solutions are able to do as we connect to each application and its data.

Because of this, organizations are able to look at who can get access to various records and request time-based access review reports. This is particularly important if a data breach was to occur and you want to know what information the malicious user had access to. An audit trail with this information is extremely useful compared to trying to consolidate the data from all applications. If enterprises are only using an IGA solution, they won’t be able to do these requests.

Matt: To add to David’s point, IGA and authentication solutions paint their own picture of who users are and what users are able to log into. Conversely, authorization digs deeper to look at what the user is accessing within applications they have access to.

For example, while authentication reporting shows when and how a user logged into an application, authorization will report on the resources and data a user accessed and what they attempted to do in the application.

What are the most common mistakes enterprises encounter when looking at authorization and auditing requirements?

David: The biggest mistake is that enterprises don’t realize how powerful externalized authorization is for auditing or access reviews. They are used to doing traditional recertification, which only captures the identity side of a configuration and doesn’t extend to what happens inside a target system or application.

Additionally, organizations have fallen into a habit of accepting what they see in a spreadsheet. This puts them in danger and is how organizations end up with over-provisioning and permission creep. It is easy to add permissions, but it is difficult to remove permissions since you don’t want to break what people need to do their job.

Also, most often enterprises get an authorization solution to help with efficiency in terms of development or compliance.

However, an added benefit is that authorization solutions have audit logs, which are extremely powerful. With audit logs, enterprises can start to visualize and determine who has access to what and when they accessed it.

Matt: Another mistake enterprises encounter is that they treat each application independently. Enterprises set up compliance standards on how information should be handled and treated and yet they audit each application differently. This leaves some applications adhering to standards while others don’t adhere to any. It also means that auditors end up having to follow different rules for different applications and create reports unique to each application.

What should enterprises know when it comes to authorization and auditing requirements?

David: Enterprises should know that auditing is a great reason to implement an externalized authorization solution – sometimes I think it is the main reason as it is so powerful. Organizations as a whole want to know what has happened, but it doesn’t matter what has happened. What matters at the end of the day is the right things happen as you want to hold people accountable.

Matt: That’s a great point, David. Also, enterprises need to prioritize understanding and adhering to relevant compliance standards and regulatory requirements, like the White House Zero Trust mandate, that are applicable to their industry. This involves staying informed about updates to these standards and ensuring that security practices align with the specific mandates of the regulatory environment in which they operate. This first step helps enterprises build policies that cover their applications as a whole, and leads to the second step.

It is crucial to implement and maintain strong access control policies. This includes employing the principle of least privilege, ensuring that users have only the minimum permissions necessary for their roles. This approach leads to less security violations either voluntarily or involuntarily.

Having a robust monitoring system in place to track and analyze user activities across applications through comprehensive audit trails provides the next layer for identifying and responding to security incidents promptly.

Enhance your organizations auditing with policy-driven authorization

Not only can policy-driven authorization improve auditing, but it can improve your organizations overall IGA investment. If you want to learn more you can download our white paper or request a demo to learn how authorization can help your existing IGA reach its full potential.

Have 30 minutes? Let's show you a demo!

See how our award-winning solution can help you meet today's access control and Zero Trust needs.

Request a demo

  Join us on LinkedIn for more insights
Archived under:
About the author

As the Marketing Communications Specialist, Emme Reichert helps execute content that resonates with customers, partners, and influencers. She has experience with marketing in the healthcare and tourism industries.