Data Access Security Dashboard
This section describes the Data Access Security dashboard and its main capabilities and navigation paths.
A security dashboard is tailored for security administrators, compliance managers, and auditors. It serves as a centralized command center, providing crucial insights into access to critical resources. This dashboard allows administrators to have clear visibility into their accounts. It also streamlines decision-making which allows for proactive security measures. With widgets on this dashboard, administrators can confidently safeguard critical assets, fortifying an organization's defenses and ensuring a resilient, secure environment.
This dashboard makes it easier for IT and security personnel to enlist the cooperation of users to indicate which resources are at risk.
Data Access Security Widgets
Below is a small description of each widget that is available within Data Access Security.
Accounts Overview
This widget displays different cards that could provide information on risky accounts.
External Accounts - accounts that are external to the organization or to the Identity Security Cloud source. Their access to critical data should be restricted, minimized, and periodically certified. Doing so reduces potential data leakage and helps safeguard the integrity and confidentiality of the internal critical information and comply with privacy and security standards.
Accounts with Passwords that Never Expire - these accounts could weaken the password security policy and increase credential theft risks. It is recommended to replace this configuration with a periodic password reset policy or add a control that requires accounts with the attribute Passwords Never Expire to have a very strong password and their access regularly assessed.
Accounts that Require No Passwords - these accounts could log on without a password, overriding login security policy. This can cause a security gap. It is recommended to change this attribute value to false.
Disabled Accounts - these accounts are often used for temporary timeouts of employees. It is recommended to delete disabled accounts that are not expected to re-enable in the future, like a past terminated employee's account, to reduce blast radius for the attacker
Empty Groups - these are entitlements with no members. Empty groups reduce performance, diminish transparency, and increase the chances of an attacker finding a path to exploit. It is recommended to delete empty security groups.
Cyclic Nested Groups - these are groups with an infinite loop, where the same group is a parent and a child of another. It is recommended to remove the circular nesting due to operational overhead and potential unintended privilege escalation hidden in circular group references.
Accounts with Excessive Access to Critical Data
This widget displays the top 10 accounts that have a wide array of access to multiple applications either directly or indirectly. Having this information allows a user to monitor and investigate the reasons for the amount of access.
Account Name - name of the identity who poses a risk.
Critical Resources - number of critical resources the identity can access.
Applications - number of applications the identity has access to. This does not mean type of applications, rather the number of applications.
Data Categories - number of categories on the account.
Access Exposure by Application
This widget shows applications that have too much exposed access. This can include too many permissions or links being shared that have critical data.
On this widget, there are three different columns that identify the level of exposure.
- Publicly Shared - this is information that is shared to anyone outside of the organization with a link to critical data.
- Specifically Shared - this information is shared to a specific person or group inside or outside of the organization with a link to critical data.
- Direct Access - this information is given directly to a single user, not a group.
Active Policies
This widget provides insight into the active policies within your system. Each policy listed is accompanied by the number of data categories that is within that policy as well as the number of critical resources that is within that policy. The values on this widget are clickable and will take you to Forensics page with further details about the data.
Overexposed Resource Score
This widget displays a total number of overexposed resources across all applications. There is also a score that represents the risk of overexposed resources.
Overexposed Critical Resources Score
This widget displays a total number of critical resources that are overexposed across applications. There is also a score that represents the risk of critical data that may be overexposed.
Critical Resources by Policy
This widget displays a bar graph with an overview of all critical data across all applications grouped by policies. The values on this widget are clickable and will take you to Forensics page with further details about the data.
Critical Resources by Application
This widget provides a more in-depth bar graph of critical resources. The values on this widget are clickable and will take you to Forensics page with further details about the data.
Critical Resources without Data Owners Score
This widget displays the number of critical resources which are not assigned owners across all applications.
Critical Resource without Data Owner
This widget lists applications that have critical resources without owners. The chart displays the number of folders within each application as well as the number of folders without an owner. The values on this widget are clickable and will take you to Forensics page with further details about the data.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.