Manage Learn to apply best practices and optimize your operations.

Forensic incident response: Integrating a SIM system and an IAM system

SIM systems and identity management systems are designed to operate independently; by understanding where each technology's integration points are and how to maintain their effectiveness once they're joined, it's possible to create a more effective incident-response tool.

By helping the SIM system know who had access to the information under question, IAM can provide valuable insights that augment the SIM tool's effectiveness.


Tying together security information management systems' (SIMs) real-time monitoring and reporting to identity and access management's (IAMs) access controls can provide useful controls and higher security effectiveness. However, both are closed-loop environments, meaning they have very specific integration points and were originally conceived to work independently. Because of this, understanding where to merge these two functions isn't always clear, and integrating these two systems without clear understanding of where they can be combined poses the risk of the technologies losing their effectiveness.

SIMs are used to monitor and report on security vulnerabilities and policy violations. These systems include a policy enforcement engine to map information protection policies to actionable activities for monitoring and score carding, along with scanning and reporting components that notify IT security personnel when an activity has occurred that violates the organization's protection policies. Meanwhile, IAM manages user access and authorizations for user activities. In order to manage this access, IAM uses role-based access controls (RBAC). RBAC allows IT administrators to manage access with a high-level, user-administration model based on general user functions and responsibilities. This permits large populations of users to be administered concurrently, which is much more effective than managing each user's access separately.

The closed-loop nature of the two means integration can be difficult. So why would an organization wish to combine SIMs and IAM? It's important to recognize that SIM tools deal with information and systems, not people. Many times, as an IT security person is assigned a remediation activity from an incident reported by the SIM system, he or she doesn't have the knowledge of whether a person initiated or caused the violation to occur. But he or she could see which person had access to the information in question in the IAM system, so in order to properly triage an incident, it would be very beneficial to have IAM information available.

So where does it make sense to integrate a standalone SIM system with a standalone IAM system? First, establish a hierarchy. In reality, the SIM system is still the only control system for asset vulnerability and risk assessment. As such, the SIM system retains its role as the highest level control system, and IAM must play a contributive role to the SIMs' capabilities. In integrating an IAM system into a SIM system, it is important not to overburden the SIM system so it can perform its functions. This means the IAM system should be integrated as part of the incident triage process -- not the monitoring and reporting functions.

IAM systems store user information, account access rights, roles and entitlements, so, looking at the incident triage process, that information can be used thusly:

Identify information in question → look at current protections → determine components affected → determine user roles with access to the information → determine the user's entitlements within the roles → determine the user's access, both physical and virtual → determine if information was at risk

The SIM triage component uses information generally stored in a directory, such as LDAP or Active Directory; since IAM systems use these same repositories in storing user accesses and privileges, the first step in integrating these two systems is to allow the SIM system to have access to IAM's branches of the directory tree. This allows the SIM system to query user roles and access rights.

Another integration point is for the SIMs to use the IAM system's certification services, which verify a user has the right roles assigned to him or her based on his or her job function. The SIM system, if capable of doing so, can look for separation-of-duties and other policy violations not identified by the certification services, which look at system-level access issues, not information-level access issues.

One feature provided in both systems is the ability to monitor their respective areas. Many organizations make the mistake of not sharing the views offered by these systems with a common data or operations center. Just like the issue the U.S. government has with its various intelligence centers not sharing their discoveries, organizations only get half of the view of the activities going on by monitoring IT security activities and other IT activities independently. By collocating IT and security data or operations centers, however, both systems can be monitored to provide a combined IT security front.

In the end, it's up to the SIM system to ensure asset vulnerabilities are minimized and violations of the organization's security policies are captured. While IAM technologies provide valuable services to manage user accesses and authorizations, they still play a lesser role in the protection of sensitive information. By helping the SIM system know who had access to the information under question, IAM can provide valuable insights that augment the SIM tool's effectiveness, and the SIM system, which in turn, can provide valuable feedback to the IAM system on its user management. By combining these two services into one function, organizations can achieve a solution that is greater than the sum of its parts.

About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.

This was last published in March 2010

Dig Deeper on Privileged access management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.