By dog and tech standards, 14 years is a long time. Ancient, even.

This brings us to the role-based access control (RBAC) Identity and Access Management (IAM) provisioning model, adopted 14 years ago after passage of Sarbanes Oxley. It's safe to say a lot has changed in identity management, and that includes traditional RBAC.

By 'traditional' RBAC, I mean a bottoms-up/top-down approach to group access, entitlements, and technology roles. Typically, this approach is manual, with a few older tools providing role mining capabilities. In my experience, this rarely works without great disruption to an organization—and once the business roles are defined, they are obsolete as soon as an organization changes. At that point this inefficient cycle starts over again.

A modern AI-driven approach

Accenture and ForgeRock have pioneered a new and better path. Accenture created this new path to IAM in its Dublin-based innovation hub, The Dock. Then, the IP was licensed to ForgeRock, which renamed it ForgeRock Autonomous Identity.

This new identity analytics solution puts artificial intelligence (AI) and machine learning (ML) to work to reduce the time it takes to do everything associated with IAM. It does this to a large degree by automating more of the processes around access requests, access certification and provisioning. This can make workforces more productive, and organizations improve security. It also saves decision-makers time by predicting the appropriate level of entitlement for individuals and provides a confidence score and justification to make granting access easier.

To hammer home these points, I provide three autonomous identity examples, below.

Financial Services: For a leading financial services firm, Accenture's implementation of this approach reduced the effort it takes to approve access by an estimated 80 percent. This is adding up to tens of thousands of employee hours saved. There are also significant improvements in customer experience, with managers now able to certify access much faster thanks to automation and through bulk-approvals of high-confidence assignments that aren't automated. We're also talking about increased efficiency and profit since teams are much more operational from day one.

Energy: For a large utility company, periodic certifications required by the North American Electric Reliability Corporation were consuming too much time and too many resources. With the solution, certifying proper user access was faster and far more efficient.

Banking: To accelerate a merger between two banks, the organization quickly merged business and technical roles, automating them for faster approvals. As a result, the organization was able to meet the deadlines for the merger and then enjoy the benefits of a simplified identity model.

In these engagement and others, clients showed significant improvements in the customer experience.

Powering the way forward: machine learning and automation

By providing high-confidence access, AI and ML help to remove the “noise” factor, enabling business teams to focus on helping the company grow by reducing the 'yawn' work. At the same time, they help keep the company safer by enabling people to scrutinize low-confidence access assignments. ForgeRock Autonomous Identity, informed by machine learning and accelerated by automation, does this by giving them the insights and recommendations they previously didn’t have. So, at the same time, you improve the user experience, help your organization become more flexible and improve security.

It also makes for improved audit results. Put another way, when managers are flooded by identity decisions, there's a chance they will start rubber-stamping. A modern identity analytics solution informed by machine learning works to prevent that.

The implementation journey

Overall, the idea is to take a risk-based approach to identity and governance: Crawl, walk and then run, always with risk limits in mind. Approvals will not be automated on day one, but steady progress will win the race. Consider these possible steps:

  • Limit initial usage and start with high confidence-low risk access. This will build trust in the confidence score.
  • Take some time to allow people to get comfortable with the tool. Let people remediate low-confidence access while the tool does its thing with high-confidence, low-risk requests.
  • Analyze how your people handle high-confidence requests, then compare those results to how the tool handles the same requests.
  • Turn on automated certifications/approvals in waves based on risk tiers.

Going forward, I believe machine learning and automation are going to play an even bigger role in reducing risk and providing a better experience, given the increased volumes, and I’m not alone. Gartner believes that by 2022, "more than 50% of IGA vendors will offer predictive and recommendation engine leveraged by machine learning and artificial intelligence) analytics, up from less than 15% today.”

Keep in mind ...

Adding machine learning and automation is new, so it’s going to take everyone some time to get comfortable with it, including auditors. Involve everybody early, including internal/external audit teams, and make sure to bring them along for the entire journey. The more educated and comfortable they are, the better.

Now get to work planning a nice retirement party for the old RBAC. It had a great run, but there's a better choice now.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this article is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.

Damon McDougald

Managing Director - Accenture Security, Identity and Access Management Lead

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog