Most parents cheerfully mark the key milestones in their child’s path to adulthood: first step,first word, first school, first sleepover, first broken bone, and so on. But for many parents, no milestone causes as much anxiety as “first-time driver,” which is bestowed on all USA-based teenagers upon their16th birthday.

While surviving the experience of having our child become a driver may seem far removed from the world of access governance and entitlement certification, I found some parallels between managing a teenaged driver and managing the access rights and IT privileges of the end users in your organization. You can read more about it in my latest report, “Wake-Up Call: Poorly Managed Access Rights Are A Breach Waiting To Happen,” but here is a quick preview.

A common problem facing parents of teenaged drivers and IT organizations is that they have properly authorized users but often lack visibility into actual usage of those access rights. In the case of the teenaged drivers, parents often seek data around vehicle usage (Where did it go? At what time and at what speed?). For IT security professionals, organizations can no longer rely purely on static lists of authorized users and their access rights. So, just the way parents can impose mileage restrictions (reading the odometer to limit the distance a car can go in a given night) or fuel restrictions, an IT security team cansupplement access governance processes with additional usage data such as:

1.       Has the employee accessed the application/system during the last certification period?

2.       How often did the employee use the given entitlement?

This level of visibility can be further enhanced as needed. In the case of teenaged drivers, concerned parents could go beyond mileage- or fuel-based controls and install a GPS device to track individual vehicle usage.[1] Some motor vehicles are even incorporating such capabilities directly into the automobile’s electronic systems.[2]

In an access governance event model, managers view user entitlements, usage data, and most importantly, specifics regarding exactly how the user employed a given entitlement in a specific context. For example, read access on a production system during normal business hours is not a concern, but write/configuration changes on a production system during off hours could be indicative of suspicious activity

By shifting the focus from every user’s possible actions to specific actions on specific systems, organizations can potentially identify patterns of anomalous behavior to quickly spot suspicious activity. And while most parents will likely not need to resort to this level of visibility to track their kid’s driving, this experience does help provide a useful way to think about enhancing access governance.

Devices from companies like MOTOsafety provide a range of capabilities including GPS geolocation “fencing,” which can alert parents when a driver enters or exits a specific area or location. Source: MOTOsafety (

[2] Source: Angela Moscaritolo, “Chevy Malibu ‘Teen Driver’ Tech Will Snitch If You Speed,” PCMag, March 20, 2015 (,2817,2478543,00.asp).