For many IT leaders, auditors and security practitioners, there’s a gap between what they want their IT landscape to look like and the reality. In the case of identity and access management, this gap is likely due to a combination of lack of transparency and misconfigured access rights. Misconfigurations and improper access rights management are the leading causes of security breaches and failed audits – and that’s particularly worrisome as organizations add more and more applications to their on-premises and cloud environments.
In a recent study, Varonis found that 44 percent of cloud user privileges are misconfigured in one way or another. A real-life scenario recently played out when Ukrainian government agencies and banks were hit with data-wiping attacks, which led to a major loss of data. Security analysts believe this could only have happened if there was uncontrolled access in Active Directory - an issue that could have been solved by doing recertifications more effectively.
Yet, while assigning proper access to the right users for the right resources has never been more necessary, it can seem like a tall order for an organization to get started. But it’s not insurmountable – it begins with a close examination of the situation.
An explosion of access
It’s all too easy to end up with too many accounts with too many privileges. Maybe an administrator is asked to add a member to an account, and in the essence of speed and efficiency, the admin gives these identities more access rights than they need to do their job.
Businesses today are moving quickly and the level of access a user/identity needs can also rapidly change, and that means IT or identity leaders need a way to continuously verify access rights. However, in most situations, access rights are only evaluated and verified once or twice a year – often prompted by necessity in the form of compliance regulations or an upcoming audit.
The evaluation can be a time-consuming, frustrating and convoluted process. Determining who needs what access or who needs access re-certifications often requires a lot of decision-making without sufficient information to go on. This process could be made easier, in part, by properly describing the purpose of roles and what they need access to and when. Applying a smart risk model increases your ability to govern users with high-risk access and helps sharpen the focus.
Taking back control of access rights
When it comes to taking control of access rights, everyone is starting at a different place. For some organizations, it might make sense to start over from scratch while other organizations might just need to overhaul a few policies.
One of the key things to keep in mind about access rights is that it’s never a one-time thing; the world doesn’t stand still, and roles will continue to evolve and change. Another thing to keep in mind is to build a system that you can easily sustain and mature along the way.
Policy-based access control needs to be considered as part of the system, but it’s often undervalued, as most organizations tend to focus more on the role level. Whereas role-based access control provides user access based on static roles, policy-based access control determines access privileges dynamically based on rules and policies (such as employee’s department, job role or project membership.) You can’t prevent people from requesting access, nor should you, but you should look at it like a closed-loop system. Individually assigned access can help improve your role-based model and from there, that will decrease the overall need to request access.
When the majority of access is granted via policies and roles, recertification campaigns will begin to effectively increase your enterprise’s security, as few decisions will need to be made by your employees. It’s much more effective to centrally recertify a single policy than having your team recertifying the thousands of related access rights continuously.
A modern approach
It’s all too easy to let recertification efforts pile up until you have to do a massive overhaul. A better approach is to break the process up into smaller chunks throughout the year. The first step is to gather all the data about access from the HR system and other sources. It also lets security teams compare the actual state with the desired state of access rights and resource assignments.
This not only makes identity and access data (and historical data) available so IT auditors can verify changes, but it also enables teams to act when there are discrepancies. Teams can apply policies and workflows to make changes using and maintaining full control over the entire identity lifecycle from the day an identity joins the organization until it leaves.
A modern access governance solution and IGA program also generate detailed reporting that gives an overview and the analytics to make sure everything is working properly. Security teams can then follow up on policies like Segregation of Duties to detect combinations of access rights that certain users shouldn’t have.
This process occurs in real time, ideally, so teams don’t get burdened with manual work that can be repetitive and time-consuming – and lead to errors. Whenever changes are made using policies, they need to also be simultaneously fulfilled in the target systems themselves, which is referred to as provisioning. Once changes are made in the target system, the data set is then imported again to compare and reconcile the new, actual state ensuring you apply all changes.
Getting access rights right
Enforcing the need-to-know principle for access is essential to protecting your enterprise, especially as new cyber threats emerge that are specifically using unmanaged access to initiate attacks. Access rights have always been hard to govern, and today’s hybrid work environment only makes it harder. Fortunately, by using the processes noted above and a modern access management solution, the situation becomes much more manageable. If you can win the identity governance game, you’re well positioned to conquer the other challenges in your identity-first security approach.