Machine Learning in Identity and Access Management

This blog was originally published by ZTEdge here

Written by Leo Versola, ZTEdge

In recent years, artificial intelligence and machine learning have been quietly transforming industries from agriculture and education to healthcare, marketing, and customer service. In 2018 over 60,000 US patent applications, 16% of the total, included an AI component. Because of the challenges involved in identifying rapidly evolving threats and unlimited numbers of malicious URLs, cybersecurity has become one of the industries that depends most on the use of artificial intelligence.

The Need for New Cybersecurity Tools

Cyberattacks are unquestionably on the rise; in the first quarter of 2021, just one cybersecurity vendor, Kaspersky, blocked over 2 billion attacks and recognized over 600 million unique URLs as malicious.

Ransomware demands continue to increase, and cybercriminals are intentionally targeting essential services and infrastructure, including organizations for which IT network outages cause serious consequences. In just the first few months of 2021, CNA Financial paid a reported $40 million ransom. Despite Colonial Pipeline’ payment of $4 million in ransom, gas supplies to the East Coast were jeopardized for most of a week. An attack on Microsoft Exchange servers using a previously unknown vulnerability breached 250,000 servers. The ransomware attack on the Health Service Executive of Ireland delayed critical medical services for millions of citizens.

There’s always been a trade-off between user convenience and network security. Now, as cybercriminals continue upping their game, the tools traditionally used to beef up security are imposing onerous burdens on both users and IT administration. New tools are needed—which is where artificial intelligence and machine learning come in.

How Machine Learning Works

AI is an umbrella term that includes many different subfields: machine learning, neural networks, natural language processing, speech processing, expert systems, robotics, evolutionary computation, vision, and planning. The most common subfield deployed in cybersecurity is machine learning.

Machine learning (ML) leverages algorithms to analyze large quantities of data, with the goal of uncovering patterns that enable accurate predictions. Among the most famous applications of machine learning is Netflix’s recommendation engine: An astounding 80% of the shows people watch on the service are those that the platform recommends to the user. Netflix’s proprietary ML algorithm relies on all sorts of data including what people watch, what they previously watched before or after watching a show, and content tags that are manually created by paid professionals. The algorithms identify the most important factors in determining what a consumer would like and weigh the different factors according to the degree to which they influence the decision. Netflix uses both implicit and explicit data: if you give a show a “thumbs up” rating, that’s explicit. If you binge-watched Breaking Bad, that is an implicit data point indicating you like that type of show.

Machine learning may be supervised, unsupervised, semi-supervised, or reinforcement learning.

• Supervised learning. Programmers supply algorithms with labeled training data. Both inputs and outputs of the algorithms are specified.
• Unsupervised learning. The computer works with unlabeled data and seeks correlations and connections wherever it can find them. The output is predetermined, but input is unstructured.
• Semi-supervised learning. A hybrid approach in which most of the training data is labeled, but the model can also explore the data and come to its own conclusions about the data set.
• Reinforcement learning. Used for multi-step processes with well-defined rules.

Applying Machine Learning to Identity and Access Management

As defined by Gartner, a leading IT research firm, Identity and Access Management (IAM) is “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.”

For IAM solutions, ML can be deployed both to determine whether someone is the “right individual,” meaning that they really are who they claim to be, as well as whether the data or apps they are trying to access are the “right resources” for that user.

ML and Least-Privilege Access

“Least-privilege access” is a fundamental principle of Zero Trust security, and enabling it is one of the key applications of identity and access management systems. Least-privilege access entails limiting user access to only the information, apps and other resources that they need to do their jobs – and nothing else. Manually configuring which apps and datasets each individual user needs, and keeping it current as users’ responsibilities change, places a huge burden on HR and IT resources. As a result, many organizations make do with Role-Based Access Control (RBAC), a system where access is granted based on a person’s role in the company, rather than their individual responsibilities.

The drawback of using RBAC is that not every user with the same job title needs access to all the same resources. Using RBAC means either manually fine-tuning exceptions for specific users – defeating the ease and simplicity of using a role-based model – or granting everyone with the role access to everything that anyone with that role might need – thereby compromising security by granting broader-than-necessary access to many users, and therefore not adhering to Zero Trust tenets.

Enter machine learning: Machine learning monitors user activity over a configuration period during which the user is granted broad access. ML algorithms monitor which apps and data the user actually uses during the training period and sets user-based access to exactly the resources the user needs, no more and no less, without any need for manual configuration. The process is repeated periodically so that as users’ responsibilities change, their privileges do, too.

Context-sensitive identification and authorization

An increasingly popular identity management approach leverages contextual information such as time of day or user location to detect unauthorized access. During the training period, ML studies details about user work habits and locations, and includes this information in their access policies. For instance, if a user always logs on using a US IP address, and a logon request suddenly comes in from Russia, the logon can be blocked even if the correct user credentials are presented, or extra identity verification methods can be required before access is granted. Of course, the system allows for manual override or adjustments on an as-needed basis.

Exception reporting

Quick intervention when issues are detected is essential for mitigating damage from cyberattacks. The same artificial intelligence systems that create policies can also identify and report unauthorized access attempts or unusual activity in real-time.

Conclusion

AI-based tools that are based on machine learning lighten the authentication burden on users and thereby go a long way toward alleviating the trade-off between user convenience and security. As a result, companies can enjoy the best of both worlds: A high degree of security provided by effective identity management and access controls based on granular user-level policies, without burdening either users or IT staff.

This "Protecting Data Using Machine Learning" white paper by Netskope offers an excellent overview of Machine Learning and Artificial Intelligence.