SIEM + IAM = User Activity Monitoring
Posted by Robbie Forkish on Tue, Nov 24, 2009
Gartner, in a report entitled SIEM and IAM Technology Integration,
points out that integration of identity and access management (IAM) and
security information and event management (SIEM) technologies can
provide audit capabilities that are much stronger than what IAM alone
can deliver. In short they’re saying that SIEM + IAM = user activity
monitoring, and that user activity monitoring is important for both
threat management and compliance management.
The top Gartner recommendation in the report is to:
Implement user activity monitoring as part of a strategy to manage external and internal threats and for regulatory compliance.
The report concludes by discussing SIEM customization requirements for integrating with any IAM system.
To summarize the thrust of the report: After collectively spending
billions of dollars on SIEM and IAM systems, enterprises are now encouraged
to invest further in the integration of these two expensive and complex
technologies in order to achieve user activity monitoring. A fancy
graphic is included in the report that shows the intersection of change
management, activity management, and identity management; the title of
the figure is “Moving From Activity Monitoring to Exception Monitoring.”
Of course we want all of our systems to highlight
exceptions rather than simply report on activity, and of course we need
to understand exceptions in terms of user activity monitoring if we are
to eliminate serious vulnerabilities while reducing the top source of audit findings. But do we need to break the bank in order to detect excessive access rights, dormant accounts and other insider risks? Not if we employ an Identity and Access Assessment solution.
Think about it. An enterprise could pay 6 or 7 figures for a SIEM,
another 6 or 7 figures for a complete set of IAM technologies, and, if
they dare, another 5 or 6 figures for the customization required to
integrate the two as Gartner (and their report sponsor) suggest. Of
course an enterprise may already have SIEM and IAM systems in place,
but customizing SIEMs for purposes of a serious integration project is
not for the faint of heart. A better approach for most enterprises
would be to pay 4 or 5 figures per year for a SaaS-based Identity and
Access Assessment solution to address user activity monitoring
exceptions that we all agree are critical to resolve.
Reducing access control vulnerabilities and excess entitlements are
critical aspects of an overall security and compliance strategy. Cloud Compliance is developing an Identity and Access Control (IdAA) solution to address key challenges with IAM processes, especially in the area of user activity monitoring. We identify users who have rights they no longer need, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, in contrast to role-based access control systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.