From previous research, we’ve heard that the number of identities managed in the enterprise is exploding (52% say that identities have grown more than five-fold in the past 10 years), that organizations struggle to align identity and security teams (only half (53%) report that security has any level of ownership for workforce IAM) and that 94% of organizations have had an identity-related breach), which 99% believe could have been prevented. These stats highlight the current state of identity security from the inside – the teams that are immersed in the day to day managing and securing identities, putting in place identity and access management processes and technologies. But what is the impact of their efforts on their stakeholders?
It’s not often that research focuses on the business stakeholder perspective, especially when it comes to the impact of identity and access management processes and technology. However, given the elevated importance of identity and access management due to the pandemic, the goal of our latest research – Identity and Access Management: The Stakeholder Perspective – was to capture hard data on the experiences of these stakeholders and the impact of current practices on security risks and business operations.
We surveyed 313 qualified professionals who worked at a company with at least 1,000 employees where a typical employee required access to multiple systems to do their work. We chose participants who had direct responsibility for adding or removing access to corporate systems for workers (employee, contractor, vendor, etc.). They include –
- HR professionals who oversee the workers that join the company, move to different areas of the company, or eventually depart the organization
- Sales Managers to represent the business teams who are concerned about the productivity and sensitivity of the data being accessed
- Help Desk teams who handle access requests, access removals, and resolve access problems
What message do these access stakeholders have for CISOs, security, and identity teams involved in defining and implementing IAM policies, processes, and technologies?
- There are delays related to access (granting and removing) that affect business operations and introducing risk to the organization and 83% indicate that timely access has become more challenging with Covid-19.
- They believe that identity is a team effort (81% believe they share responsibility for access issues), but did own up to poor behaviors (7 in 10 confess to having personally engaged in poor system identity behavior).
- There is a lot of room for improvement (83% say access request processes could be improved) in identity and access management processes and technologies potentially through automation, with only 23% reporting system access enablement 35% reporting revoking system access is automated.
The good news is that the delays reported in granting and revoking access can be addressed through the automation that seems to be lacking in these organizations. Fundamental IAM Best practices, such as automated provisioning/de-provisioning and governance committees, combined with identity-centric security outcomes that combine identity and security capabilities, can help address the challenges identified in the research.
Below are recommendations from the Identity Defined Security Alliance for addressing challenges illustrated in the report:
72% report it takes at least a week for a typical worker to get access to required systems and only 23% report system access enablement is automated: The delay in granting access not only impacts productivity but can be a morale buster for a new worker who is unable to hit the ground running.
50% report it usually takes three days or longer to revoke access for a worker that leaves and only 35% report revoking system access is automated: The delay in revoking access for workers who have left the organization (voluntarily or terminated) or have transitioned roles introduces the risk of inappropriate access and data theft
In fact, 56% of Sales Managers report they that they know they have staff who stole information when they left the organization. Delays in revoking access for workers who have been terminated or moved out of roles can open an organization up to the risk of data loss.
- Best Practice: Automated provisioning and de-provisioning should be implemented with the help of adjacent and applicable business processes. Automation allows you to realize the full benefit of an IAM program with the goal of reducing the number of manual access changes managed through your Service Management application or other ad-hoc processes.
- IDSO-001/002: User/Privileged accounts and entitlements are granted through governance-driven provisioning
- IDSO-003/004: User/Privileged accounts and entitlements are removed through governance-driven provisioning
Only 38% would immediately terminate access based on suspicious behavior and seven in 10 confess to having personally engaged in poor system identity behavior, including duplicating passwords across personal and work accounts, written-down passwords, sharing passwords through messaging apps: Suspicious access behavior can be an indicator of compromised credentials (potentially breached through bad behaviors) or an insider threat. Security controls that leverage UEBA and risk-scoring technologies, can automatically revoke access, trigger advanced authentication methods, or kick off access reviews, limiting the damage done.
- IDSO-007: Expected user behavior is used for authentication
- IDSO-009: Access is revoked upon detection of high-risk events associated with an identity
- IDSO-010: Re-attestation is triggered based on a high-risk event
- IDSO-018: All user access requires the option of multi-factor authentication
78% report there is more than one department involved in defining system access and two in five characterize ownership of system access as “messy and all over the place,” but 81% believe they share responsibility for access issues: Stakeholders reported that there are definitely areas for improvement in processes and technologies that they interact with on a daily basis and are more than open to sharing responsibility for access issues.
- Best Practice: Create an Access Governance Committee that fosters collaboration between managers of system and/or data access across the organization. Fostering collaboration and consistency between all those who manage system or data access in the organization will lead to a better end-user experience, identification of potentials for organization-wide efficiencies (automation, process improvements, etc.), while also reducing the risk of audit findings.
- IDSO-011: All privileged access is periodically attested
- IDSO-012: Access to sensitive data is periodically attested
With the number of identities in the enterprise exploding, the processes and technologies for managing them have become increasingly important and can have a significant impact on business operations and enterprise risk. By implementing fundamental IAM best practices and identity-centered security outcomes, CISOs and IT leaders can continue to protect their organizations from compliance violations, stolen credentials or theft of confidential information, while also delivering value to their key stakeholders.