How to Measure Exposure of Access to a System

 

Objective

Describe a metric that captures the level of exposure due to access to a system. The intended use is to measure how close an access management process is to achieving principle of least privilege. 

Definitions

• Access - An actor's ability to read or modify data in or through a system.

• Access Management - A process to ensure appropriate actors have access to systems. 

• System - A catchall term for things like: a database, tool, or APIs.  

• User Data - A catchall term for data an end user is storing in the system.

• Personally Identifiable Information (PII) - a subset of user data that is considered directly identifying the end user. Such as a name, address, phone number, email, etc. 

• Sensitive Personally Identifiable Information (SPII) - The subset of PII that is considered sensitive, typically defined by the regulatory environment in which the data is being processed. Typically examples in the United States include Credit Cards, Social Security Numbers, etc.

• Principle of least privilege - Actors have ability to access only data needed to achieve their business objective.

• End user - Refers to the person that is trusting their user data to the system. Many times this is referred to as the customer. 

Background

As systems gain user data, there is a generic need to ensure appropriate access is being granted. This is achieved through creation of an access management process. Appropriate access typically depends on the sensitivity of the data being stored in the system. For example SPII typically has more restrictive access than PII. 

A difficulty in building an Access Management program is deciding how to define success. As with many processes, metrics around efficiency as fairly common such as:

• Average time to provision an actor access to the system -- less is better

• Headcount required to manage the process -- less is better

• Number of moments someone needs access but doesn’t have it -- less is better

These are great metrics from the perspective of ensuring least impact on business proposes. However, none of them have an explicit goal ensuring the access management process achieves the principle of least privilege. In fact, focusing only on these metrics will lead to preemptively granting many actors access to the system. As that is the easiest way to drive all of those metrics to their ideal state.

Access Exposure Metric

I propose that we measure the access exposure as a proxy for how close we are to achieving principle of least privilege. I define access exposure as:

(Number of actors) X (Average Number of end users they have access to)

Number of actors - The count of actors with ability to access end users user data.

Average number of end users they have access to - The average count of end users the actors have access to. Note the exact granularity of the subset of the end users’ data they have access to can be set as needed when measuring a systems Access Exposure.

As an example: Assume we are trying to measure the access exposure to a database with 100 million rows, each row contains the end users name, mailing address, and shopping history.  To ensure only appropriate access, we have an access management process that verifies business need before granting access. Once verified actors are added to a group with read access. This group has 100 actors in it. So we would say this system has an access exposure of 10 billion (100 x 100 Million). 

Now that we have this ability to measure the access exposure we can see where our resources will be best spent -- Lets say that it is decided that access to the database needs to be restricted as much as possible. Typically the access management process would focus on spending more cycles vetting the 100 actors with access. Potentially putting more through training, having management chains confirm the business need etc. Assume these measures are able to reduce the number of actors down to 50. That would be a 50% reduction in the access metric now at 5 billion.

Eventually though, we will see diminishing returns on reducing access focused on the number of actors. Some number of actors simply need to access this data. However, note the metric has two terms and access management so far has focused on just one of those terms, the number of actors. Shifting the focus to the other terms through creating a dynamic access mechanism. Such as: if the actors are a group of support agents that only need access to the one customer that they are supporting. Imagine a chat support system that grants the connected agent access to the customer’s data only once connected. In such a dynamic access model we would have an access exposure of ~50 (50 actors x 1 average end user each actor has access to). This represents a >99.999% reduction in access exposure.