Data Access Security Dashboard
This section describes the Data Access Security dashboard and its main capabilities and navigation paths.
A security dashboard is tailored for security administrators, compliance managers, and auditors. It serves as a centralized command center, providing crucial insights into access to critical resources. This dashboard allows administrators to have clear visibility into their accounts. It also streamlines decision-making which allows for proactive security measures. With widgets on this dashboard, administrators can confidently safeguard critical assets, fortifying an organization's defenses and ensuring a resilient, secure environment.
This dashboard makes it easier for IT and security personnel to enlist the cooperation of users to indicate which resources are at risk.
Data Access Security Widgets
Below is a small description of each widget that is available within Data Access Security.
This widget displays different cards that could provide information on risky accounts.
External Accounts - accounts that are external to the organization or to the IdentityNow source. Their access to critical data should be restricted, minimized, and periodically certified. Doing so reduces potential data leakage and helps safeguard the integrity and confidentiality of the internal critical information and comply with privacy and security standards.
Accounts with Passwords that Never Expire - these accounts could weaken the password security policy and increase credential theft risks. It is recommended to replace this configuration with a periodic password reset policy or add a control that requires accounts with the attribute Passwords Never Expire to have a very strong password and their access regularly assessed.
Accounts that Require No Passwords - these accounts could log on without a password, overriding login security policy. This can cause a security gap. It is recommended to change this attribute value to false.
Locked Accounts - these accounts could be harmless or could be a symptom of brute force attack or password spraying. It is recommended that you assess locked accounts trends, such as an unusual spike in the number of locked accounts over a small period of time.
Empty Groups - these are accounts with no members. Empty groups reduce performance, diminish transparency, and increase the chances of an attacker finding a path to exploit. It is recommended to delete empty security groups.
Cyclic Nested Groups - these are groups with an infinite loop, where the same group is a parent and a child of another. It is recommended to remove the circular nesting due to operational overhead and potential unintended privilege escalation hidden in circular group references.
Accounts with Excessive Access to Critical Data
This widget displays the top 10 accounts that have a wide array of access to multiple applications either directly or indirectly. Having this information allows a user to monitor and investigate the reasons for the amount of access.
Account Name - name of the identity who poses a risk.
Critical Resources - number of critical resources the identity can access.
Applications - number of applications the identity has access to. This does not mean type of applications, rather the number of applications.
Data Categories - number of categories on the account.
Overexposed Resources by Application
This widget provides a quick overview of overexposed resources per each application. An overexposed resource is a resource with existing access by groups which contain many members.
Access Exposure by Application
This widget shows applications that have too much exposed access. This can include too many permissions or links being shared that have critical data.
On this widget, there are three different columns that identify the level of exposure.
- Publicly Shared - this is information that is shared to anyone outside of the organization with a link to critical data.
- Specifically Shared - this information is shared to a specific person or group inside or outside of the organization with a link to critical data.
- Direct Access - this information is given directly to a single user, not a group.
This widget displays a graph of all the resources within an application as well as the number of overexposed resources within that same application.
Critical Resources with Owners Score
This widget displays a graph of all the critical resources as well as the total amount of critical resources that do not have an owner.
Critical Resources by Policy
This widget displays a bar graph with an overview of all critical data across all applications grouped by policies.
Sensitive Resources by Application
This widget provides a more in-depth bar graph of critical resources.