Introduction and Problem
In today's digital landscape, organizations often require their employees to utilize a variety of applications, systems, and services, each requiring its own user account. Consequently, employees may have multiple accounts to manage across various platforms, such as an Azure Active Directory (AD) user, an Amazon Web Services (AWS) Identity and Access Management (IAM) user, a Jenkins user, and an Artifactory user, among others.
While some platforms allow for account federation, which enables users to access multiple systems using a single account, not all platforms support this feature. Furthermore, federation might not be the most suitable option in certain scenarios due to specific organizational requirements or security concerns. Therefore, it is common for employees to hold multiple distinct accounts across various services.
However, this distributed account management introduces challenges in maintaining consistent and accurate access controls. For example, consider the case when a new employee is onboarded and granted access to the Azure AD environment, but their user account is not created or activated within the HR system. This discrepancy between accounts can pose potential security risks or operational inefficiencies, as there is currently no effective method to associate the various accounts with a single employee identity.
As a result, it becomes increasingly difficult for organizations to detect and resolve such discrepancies, creating a need for centralized IAM solutions. These solutions aim to bridge the gap between the different user accounts by integrating them into a unified system, enabling better visibility, control, and security across the organization's various platforms and services.
Solution
With the introduction of Axiad Mesh, a significant advancement has been made in consolidating employee information across multiple accounts and platforms. Axiad Mesh provides a centralized infrastructure to analyze and organize user accounts, ensuring that each account is accurately associated with the corresponding employee. This initial step of connecting an individual's identity with their various accounts forms the foundation for improved account management and access control.
Building upon this foundation, the Identity Correlation Service is integral to the overall solution. Its primary function is to meticulously index avatars, which represent user identities, as they are ingested into the system. By doing so, the service can efficiently identify and establish connections between avatars exhibiting a high degree of similarity. Consequently, this powerful tool paves the way for linking together various user accounts that belong to the same individual, streamlining the account management process, and enhancing overall security.
Method
Axiad Mesh takes a systematic approach to identify and establish connections between multiple user accounts that belong to the same individual. Each user account is associated with specific properties, such as a username or principal ID. To create these connections, Axiad Mesh carefully analyzes the information within each account, searching for shared or overlapping properties among them. By doing so, Axiad Mesh is able to determine statistically significant patterns, which ultimately indicate the likelihood that two or more accounts belong to the same individual. Upon establishing such a correlation, Axiad Mesh effectively links the user accounts, streamlining identity management and ensuring a more cohesive and secure digital environment.
In the example above, three different users are tied to the identity of Waiter Norton. Each user has a different principal, two different emails, and one user ID. Despite these differences, there is enough similarity between the users that the Axiad correlation service can connect them to the same identity.
Summary
Given an employee will have multiple accounts, there is no system in place today to associate the different accounts with the same identity. Axiad Mesh sets up the infrastructure to analyze which accounts belongs to which employee. The Identity Correlation Service’s sole responsibility is to link together user accounts to the same identity to help bolster an organization’s identity posture.
To learn more about Axiad Mesh, read our recent press release. Contact us today to see how Axiad can help you bring clarity to identity chaos.