Avoiding Selection Bias in Identity Governance

Leo Grohmann, Senior Solutions Architect at Omada, discusses the challenges surrounding selection bias, especially when survivorship bias is added to the mix.


Selection biases in IGA


Survivorship bias is a type of selection bias that occurs when people only look at information or items that have passed a selection process, ignoring those that haven’t due to a lack of visibility. This can be a big obstacle to identity access management teams and it’s particularly widespread in access certificates and surveys. That can lead to decision-making that is based on insufficient datasets.

An example of how this bias can happen is a situation where not all applications are integrated with the IGA solution. In this case, there’s an incomplete picture of what needs to be or is being recertified. You might think you have good control over permissions in the IT landscape, but the reality is that you’re only seeing a small part of that entire landscape.

Another problem that can happen is that when permissions are re-certified, managers might only recertify them based on what access other people have. In other words, if some access has been granted to a large number of people, there’s a risk that managers will just re-certify that access for everyone without really thinking it through.


The problem with inappropriate recertifications


Organizations can use access certification campaigns to audit entitlements and legally confirm that identities have adequate access privileges. These campaigns are intended to remove access if it’s no longer necessary – or permanently approve access that was previously granted ad hoc. Certification campaigns are a useful method for making sure least privilege is in place.

Why does this matter? Inappropriate recertification of access or privileges can lead to many problems – such as data leaks or even data breaches, which can happen accidentally or with malicious intent. Imagine that someone has access to specific IT systems that they shouldn’t have access to. If, for some reason, the employee decides to cause damage to the company, they’d be able to do that because of their access.

Inappropriate recertification of access also makes things like attacking the company from the outside easier. The more access that’s unknown to the organization, the bigger the risk that it exposes itself to both insider and outsider threats.



Combatting survey fatigue


Avoiding selection bias and ensuring that recertification is done right also requires that you’re mitigating the risk of survey fatigue. Requiring employees to go through, say, 100 questions to recertify their access isn’t realistic. They’re either not going to do it or they’re going to speed through some questions for the sake of time and say, “Sure, this information looks fine.” But that leads to risks about whether the right things are being recertified. One way to combat this is to do more frequent but smaller recertifications rather than one giant yearly one, for instance.

Another option is to establish a “role model” in which certain accesses are bundled by job role. That way, it is sufficient to recertify the business roles that are assigned to identities instead of recertifying all contained permissions for everyone. Using a consistent role model with a business-friendly naming standard ensures that managers will spend less time on recertifications while making better and more thorough decisions.


Toward better recertification


Recertification shouldn’t be treated as just something to give to the auditors to fulfill certain regulations. It should be viewed as something crucial to the business, as well as a key part of security efforts. It should be driven by the business (not IT) and treated as something that is ultimately beneficial to the organization as a whole. Incorporate the best practices discussed above to beat survivorship bias and survey fatigue while streamlining the recertification process.