Identity management and access management are close cousins in the cyber family, but despite their similarities, they have very different roles to play in protecting data. While access management focuses on the role of the gatekeeper, identity management focuses on managing key information that the gatekeeper needs to make decisions. This information—the attributes related to the user, such as their roles and credentials—help organizations make informed decisions about access. The job of being a digital traffic cop, however, is dynamic. Roles change, policies morph over time, and employees go in and out of the workforce. In today’s cloud environment, conducting comprehensive audits of identity and access policies is critical to the success of business operations, compliance, and security.
For enterprise companies, securely managing access across infrastructure is more complex due to the adoption of new technologies, cloud services, and DevOps tools. Legacy approaches can’t keep up with the developing needs brought on by evolving technology, so teams are left with multiple and inconsistent solutions. Oftentimes, the complexity of cobbled solutions results in increased risks such as shared login credentials, excessive privileges, and the administrative load leading to slow and incomplete user provisioning and deprovisioning.
In our 2022: The Year of Access report we found that nearly two-thirds of enterprise companies require at least hours or days for access requests to be routed, approved, and granted, with 8% saying the process typically takes weeks. In general, the longer these requests take, the slower the business moves. It should come as no surprise then that workers who cannot get access quickly enough move to find a workaround. Unfortunately, this workaround often takes the form of backdoors and shared logins, which are quick fixes for employees, but they also introduce the risk of exploitation.
Sharing login information among team members may help with productivity temporarily, but benefits are fleeting since sharing credentials increases the likelihood that the credentials could be phished simply because more people are using them. Shared credentials also opens the door for internal threats, like disgruntled employees, to abuse those credentials for malicious purposes. In addition, if organizations use backdoors, or shared credentials, revoking someone’s access by deprovisioning their identity does not remove their ability to access systems, as they could still use the shared or team credentials to access critical systems. This is a common oversight for many organizations, and a serious security risk.
Many organizations use Privileged Access Management (PAM) tools to manage and monitor privileged accounts. Still, even enterprise companies that utilize these solutions have to address challenges such as decentralized management of credentials, employees sharing credentials, and orphaned accounts. In IDSA’s 2022 Trends in Securing Digital Identities report, more timely reviews of privileged access was one of the most common answers given by security pros when asked to choose from a list of actions that could have prevented or minimized an identity-related breach their organization suffered. Particularly when it comes to privileged accounts, it is vital to know the owners and access rights of each account and have a straightforward and repeatable process for assigning privileges according to the user’s role in the organization.
A scan of newspaper headlines reveals talk of The Great Resignation–a period when employees resigned from their roles en masse in search of better career opportunities. For employers reacting to the Great Resignation, it’s imperative that IT teams properly offboard and deprovision their former employees to mitigate the risk of backdoor attacks. Regardless of these macroeconomic trends in employment, experts recommend conducting annual audits of user permissions within IT environments for optimal security purposes.
With the end of the year quickly approaching, now is a good time to start a user permissions audit. Here are four pieces of advice on designing an audit process to help you get started.
- Create an inventory of all systems in your infrastructure. This will inform what systems are available for employees and third parties.
- Develop an understanding of the roles in your organization and the levels of access required by each role.
- Map the access requirements to your existing employees based on their job requirements and identity. This will show where access has been over-provisioned, as well as where additional access may be required for your team members.
- Ensure that credentials are not being shared and that team logins do not exist.
Although audits are time-consuming, they enable organizations to maintain an accurate view of the users and machine identities accessing their systems and data. Audits also help stakeholders make decisions about access policies with confidence. Without this view, effective identity and access management is impossible. Cybersecurity Awareness Month is the perfect time to ensure that only the right people have access to critical systems.
About the Author: Justin McCarthy is the Co-Founder and CTO of StrongDM. He developed empathy for Operations as a founding and pager-carrying member of many operations and data teams. As an executive, he led Engineering and Product in high-throughput and high-stakes e-Commerce, financial, and AI products, which led him to take a people-first approach to access management and security. Justin is the original author of StrongDM’s core protocol-aware proxy technology. Visit Justin on LinkedIn.