Ensuring continuous compliance through reconciling policy with usage

Abstract

Organizations rarely define formal security properties or policies for their access control systems, often choosing to react to changing needs. This paper addresses the problem of reconciling entitlement usage with configured policies for multiple objectives: policy optimization and risk mitigation. Policies should remain up-to-date, maintaining least privilege, and using unambiguous constructs that reduce administrative stress. We describe a number of algorithms and heuristics, validated on real-world data, to address various aspects of reconciling access control policies with security audit logs. The first set of algorithms track and correlate which policy items enable which actions, using which we can identify over privileged entitlements, redundant policy items that may not be correctly revoked by administrators, rarely used entitlements, and overly permissive entitlements. They can help reduce administrative errors and general operational risk. The second body of work compares user groups defined in the policy with roles generated from the actual usage patterns, from which we derive quality and security measures for policy groups. Finally, we track policy changes through assignments and revocations and test precursors for such changes (e.g., a failed request before an assignment). Broadly speaking, this body of work presents different facets of continuous compliance to see if the enforced security policy and the resulting usage is consistent with a common intended security goal.