Documentation
Features > Machine Learning.
Documentation Menu
Instead of Pre-Approving a huge number of applications ahead of time, let the system build the list for you – as the applications are being used. Reduce your manual approval workload considerably with the latest feature coming with Admin By Request version 8.0.
When large enterprises consider effective and efficient access management, there is often a preference for Whitelisting / Pre-Approving trusted applications that their employees use on a regular basis – that is, figuring out which applications are frequently used, and adding them to a list which automatically allows users to elevate them when they need to. This method of ‘allow most, deny some’ has proven more resource-efficient compared to denying all apps and only allowing elevations on a case-by-case basis. But for a company of 100,000+ users, you could be talking about a Pre-Approved list of 10,000+ apps.
Compiling such a list takes considerable amounts of time and effort. You first need to ask, what apps are my users using most? Are they safe across the board? Are they safe for some users and not others? Which should be Pre-Approved and which should be looked at twice prior to elevation? Then there’s the task of actually adding the thousands of apps to the list ahead of time before it can be considered complete / useable.
Up until version 7.4, Admin By Request offered the same set of traditional methods for application elevation as other Privileged Access Management (PAM) tools: per-app elevation, pre-approval, blocked lists, approve everything and simply Audit. But we also faced the same limitations as these other solutions: Pre-Approved lists had to be manually populated ahead of time by customers who want to use them.
With version 8.0 coming December 12th, we’re introducing a breakthrough new feature to the Admin By Request platform which removes this limitation:
Machine Learning Auto-Approval.
Machine Learning – What Is It?
The idea behind Machine Learning Auto-Approval is to kill two birds with one stone: why don’t we allow customers to build a Pre-Approved list, as their employees use the software?
Let’s say a user requests to elevate an application, and an IT Admin approves this request. What the IT Admin is essentially saying is that the application in question is safe to run; in other words, it likely belongs on the Pre-Approved list.
So why not make a rule that if approval for an application elevation is granted X amount of times, that application is now automatically approved from then on?
This is where the Machine Learning feature comes in – it allows the system to handle creating the list of applications that are safe for approval as applications are used. Customers can set a number of times that applications need to be manually approved by an IT Admin before they are added to the Machine Learning Auto-Approved list.
A Use Case
Let’s take a look at an example of where and why the new feature might be needed, and how it could be implemented effectively:
A company of 100,000 employees has a policy that all software must be approved for elevation. With the PAM tools currently available on the market, the company has two options:
- Approve each individual request for elevation as they come in
- Create a Pre-Approved list ahead of time
Option 1 will likely mean 10,000+ approval requests per day that require attention from IT staff, and result in delays for users wanting their elevation requests approved.
Option 2 is more workable, but no one in the company knows all of the thousands of applications that employees are going to need approved in the future, so creating a complete and effective Pre-Approved list ahead of time is impossible.
In reality, neither option is ideal – which is why many enterprises forgo implementing a PAM solution and end up falling victim to cyberattack.
The Admin By Request Machine Learning feature presents a viable alternative to the existing options because you don’t have to approve endless requests, anticipate the future, or do anything upfront.
Instead, it would look something like this:
- Install Admin By Request for 1000 users
- In the first few days, your IT Admins receive hundreds of requests for app elevation
- As they approve requests, the Machine Learning list is built
- After the first few days, the number of requests decrease drastically as it’s the same applications that are being requested for elevation across the board (most of which are already Auto-Approved by the Machine Learning feature by this stage)
- Install Admin By Request for another 5000 users
- These users predominantly use the same applications as the first 1000 so, although there is a slight peak in requests, it’s much smaller than the peak upon initial implementation
- Repeat the process with the next 10,000 users, then 20,000, and so on, each time approving fewer and fewer requests as more and more applications are added to the Machine Learning Auto-Approve list by the system.
Deployment can be ramped up or slowed down to the speed appropriate for your approval resources.
While building this feature, we analyzed data from thousands of customers and estimate that a company of 100,000 employees will likely get the same number of requests for the first 1000 as for the last 99,000 – because users elevate the same applications.
Configuring The Feature
1. Navigate to Settings > Authorization, and the Require Approval toggle to ON. With these settings in place, applications need to be approved individually by an IT Admin before elevation is granted:
2. Navigate to Settings > OS Settings > Applications > Machine Learning. Here you can enable the feature by setting the toggle to ON and select the desired approval threshold between 0 and 10 (i.e., the number of times an app has to go through the approval flow / be manually approved before it is Auto-Approved from then on). In this example, we’ll set the number of Approvals to 1:
3. Click Save to confirm your settings – note the green tick appears when the save is complete.
4. Now, when your users use Run as Admin on an application for the first time, they will need to run through the approval flow as normal once. Note that the approval flow the user runs through, i.e., Authenticate or SSO, depends on your User Portal settings:
5. After approval for that application has been granted once, the second time, the application will simply require confirmation prior to elevation. This is because the number of times this application has been manually approved has been counted by the system, and it has reached the number of manual approvals required for it to now be Auto-Approved. These apps can be viewed in your User Portal under Reports > Settings Reports > Machine Learning. From here you can view the number of times the application has been approved (in the Count column) or choose to Forget the application. What this does is removes an application from the list and resets the manual approvals back to 0; from here it starts its manual approval count from scratch.
As with all Admin By Request features, Machine Learning can be tailored to suit different users’ needs through Sub-Settings.
Import Past Data
Although this is a new feature, existing customers can either choose to start afresh, or apply Machine Learning Auto-Approval to previous Auditlog data, so as to avoid having to go through additional manual approvals for applications that have already run through the approval flow.
By default, no data is ‘inherited’ from the Auditlog into the Machine Learning feature, so if you want your existing approvals to be used as the starting point, you can do the following:
Navigate to Reports > Settings Reports > Machine Learning, scroll down to the Import Auditlog Data section. You can use the AI sliders to only import the more popular (and therefore more trusted) applications (see the documentation for AI Approvals here). Select the Import Auditlog Data button:
You can also bulk-remove your entire Machine Learning list from here by selecting Remove All. Note you need to check the ‘I understand that my Machine Learning states will be modified’ box before you can complete these actions:
Summary
Building giant Pre-Approved lists so that your users can function effectively in their roles can be a nightmare for large organization. With our latest Machine Learning feature, the system removes the task of creating endless Pre-Approved lists and does the job automatically.
Combine this with our new AI Approval feature, also new with Admin By Request version 8.0, and you’ve reduced your manual approval workload considerably.
Keep an eye out for Admin By Request version 8.0 – coming December 12th!
Stay Up To Date
Latest Blogs
Understanding Access and Identity Management: Essential Guide to Secure Systems
Master access and identity management with this guide. Learn how AIM enhances security, boosts efficiency, and ensures compliance for your organization.
How To Secure with a Privileged Access Workstation (PAW)
Secure your IT environment with PAWs (Privileged Access Workstation). Learn setup, benefits, and alternatives to protect sensitive accounts from threats.
Top Tips for Choosing the Right Remote Access Service
Secure your data and connect remotely with ease. Discover top tips for choosing the right remote access service, ensuring flexibility, security, & productivity.