The number of digital identities in an organization increases rapidly due to such effects, making it more difficult than ever for security people to manage and activate each one individually. This creeping accumulation of access privileges is known as Entitlement Creep. Keeping track of all privileges becomes even more difficult when organizations are tasked with configuring permissions on applications and infrastructure once people need access to a growing variety of cloud and on-premises locations.
Recent research from Gartner shows that the average number of different permissions across cloud service providers has exceeded 5,000. In addition, more than 95 percent of accounts within IaaS environments use less than 3 percent of granted permissions on average. Clearly, IAM teams have their hands full as they try to walk the fine line between business efficiency and security. Even more obvious is that employees, by and large, have too much access. Aside from being unnecessary, this can be dangerous to a company’s IT security.
Haste Makes Waste
The reason for excessive access distribution seems simple and, in some cases, even harmless: When employees change jobs, roles, projects, or even leave the company, they likely need new permissions to do their jobs efficiently, or the existing ones need to be removed. However, as organizations rush to provide these employees with these permissions, they may forget to have processes in place to remove old access rights that are no longer needed as part of the new role.
As employees change jobs more frequently, this can lead to a creeping accumulation of privileges and access rights. Often, these privileges are no longer needed and have no impact on productivity when removed. Nevertheless, the expansion of permissions is all too common in organizations. Without proper control over who can access what and why, security vulnerabilities arise.
Excessive Privileges Due to Lack of Oversight
Most business owners say they are committed to the principle of least privilege. However, in a recent ESG survey, 45 percent of business owners said they have difficulty identifying which users can access which data. That’s not surprising, because, without proper identity lifecycle management to revoke outdated access privileges, it’s easy to damage this cornerstone of cybersecurity. This mistake is common in identity management, as employees often need to import credential data from numerous sources (such as CSV files, HR systems, cloud infrastructures, and application data).
These are needed to determine who needs access to what data. In addition, organizations tend to focus more on user productivity and take a laissez-faire approach to security. This is especially the case when employees need access to things quickly, or when third-party vendors expand, employees change departments or take on new responsibilities.
Improper Identity Management Is More than Just Another Risk
Mapping credential data from a variety of different sources creates challenges for IAM teams and auditors alike. As employees accumulate many credentials, unused privileges can be a blind spot for IAM and security departments and become a risk over time. Orphaned accounts are an important component of privilege creep. However, as employees retain access rights they no longer need, assigning ownership or even finding and correlating orphaned accounts can be a time-consuming task that creates gaps in monitoring the environment.
Moreover, when audits are due, without clear reports, groups can have to spend a lot of time and energy gathering data on who has access to what in the first place. Time is wasted, but often a failed audit can even lead to the financial detriment, reputational damage, and more because a user account taken over by hackers that have amassed a great many privileges is like the key to the gates of the city – especially if IT managers don’t know that account has so many privileges, or even still exists.
Negligence Threatens Snowball Effect
Unfortunately, when it comes to managing and maintaining authorizations, many departments act on the motto: We’ll take care of it when we have to. This is unacceptable, but without a centralized solution, it can seem unnecessary to even bother revoking people’s permissions; they had already been granted access, why bother revoking it now? Such a mindset, however, can lead to a mountain of unused rights and permissions.
When an audit is due or a new organizational directive is introduced to capture all access, it can be nearly impossible to assign the correct permissions. Without proper, continuous capture of permissions, a snowball effect can occur. Hundreds of thousands of authorizations then accumulate to be created and caught up, which is unmanageable.
Comprehensive Identity Governance and Administration (IGA) is able to keep track of the lifetime of digital identities, such as user accounts, so that when these identities move from one department to another, or when contracts with contractors are renewed, they are automatically given the right access to perform their duties – but nothing more.
In this way, identities can be thoughtfully equipped with sufficient access to keep the employees behind them productive. However, clean IGA also ensures that access that is no longer required to perform a particular task is flagged and automatically disabled. This is a key use case of IGA that can help prevent privilege creep.
In addition, organizations can use IGA to delegate the ability to create access packages through roles or policies. These contain resources that identities can request and list the people who must approve access. Ordinary IGA must clarify what types of permissions are available and what permissions are required for the task at hand so that people can make access requests and, in turn, have them approved.
Incorporating certification campaigns, during which it is possible to quickly check whether permissions are still in use, is also a core task of full-fledged IGA. In this way, no snowball is created in the first place, but all identities always have only the access permissions they really need, while superfluous identities are removed. The security loophole that an account becomes particularly lucrative for hackers because it is orphaned and has heaps of access permissions is closed.