Security practitioners, auditors, and IT leaders often know that there are gaps between what they want their IT landscapes to look like, and what they do look like. This gap is likely due to a combination of lack of transparency and misconfigured access rights. Misconfigurations and improper access rights management are the leading cause of security breaches and failed audits and is particularly prescient as organizations add more and more applications to their environments, mostly in the cloud. In a recent study, Varonis found that 44% of cloud user privileges are misconfigured in one way or another. Assigning proper access to the right users to the right resources has never been more paramount, yet it can seem like a tall order for any organization to get started, and it all starts with awareness.
The Endless Cycle of Access Rights Management & Data Clean Up
Many security and audit leaders have already spent countless hours digging through piecemeal data history, entitlement records, certifications, and policies to try to get a real understanding of what access exists within their organizations. This information can be difficult to gather, and even more difficult to feel assured that it is complete and accurate. Even assuming that all this information is current and comprehensive, enabling data cleanups, access policies, entitlements and recertifications makes it seem like an endless cycle where not a lot gets accomplished. What organizations really need is a way to dig to make sure that users are provisioned access to only the applications they require, with only the right permissions.
The Danger of Excessive Access Rights
Security practitioners may sometimes think that an undertaking of this magnitude is too complicated, or too cumbersome to accomplish. They are used to resource assignments being off base, users having too much access to a certain application, accounts with no owners floating around, users who have access rights they haven’t truly needed since 3 promotions ago, and more. The hard truth is that attackers can easily snuff these out and cause danger in the real world and exploit over-permissioning, or orphaned accounts that nobody is paying attention to. Establishing a comprehensive overview of identities and access data for comparison of actual versus desired state can seem very daunting but taking that first step is critical.
Regain Full Control of Access Rights
Identity Governance & Administration (IGA) solutions can help with gathering data on identities and access. These solutions, when connected to authoritative sources such as an HR system, import data related to employees, contractors, third-party business partners and customers. IGA solutions can often times act as the unifying force for all this data which otherwise is likely stored in disparate cloud-based and on-premises systems, databases, and spreadsheets. After gathering data from big authoritative sources, access rights and entitlements can be drawn out from other systems and applications, which give further detail and granularity as to the lay of the land and says, in plain terms ‘what is happening today.’ It shows things like who has access to what systems and applications, what their roles are, who has granted that access, and more.
Disclaimer: there will certainly be access data findings that are eye-opening or stress-inducing. However, this will eventually lead to better and fuller data, which helps security practitioners to apply policies and workflows to make changes to allow them to regain full control over the respective identities. Enriching data and acting on it using policies is also known as reconciliation, or the comparison of actual versus desired states of data. Actual state refers to all the information and data that comes from systems and applications like access rights and accounts. Desired state is everything that is approved either explicitly by a request/approval or a recertification, or implicitly approved by a policy or an approved role assignment. More on this below.
Continuous Access Data Comparison and Reconciliation
An effective identity and access governance program will not only gather the data but will enable security teams to compare the actual state with the desired state of access rights and resource assignments. This not only makes identity and access data (and historical data) available so that IT auditors can verify changes, but also to enable teams to take action when there are discrepancies. Practitioners of IGA solutions can apply policies and workflows to make changes using and maintaining full control over the entire identity lifecycle from the day an identity joins the organization, perhaps change job role and until they leave. A good access governance solution and IGA program also generates detailed reporting that provide overview and analytics to make sure everything is as required. Security teams can then follow up on policies like Segregation of Duties to detect combinations of access rights that certain users shouldn’t have (also known as ‘toxic combinations’).
Ideally, this information gathering and putting it to work is done in real-time so as not to burden teams with manual work that can be repetitive, time-consuming, and lead to errors. Whenever changes are made to the desired state, using policies, they need to also be simultaneously fulfilled in the target systems themselves, which is referred to as provisioning. Once changes are made in the target system, the data set is then imported again to compare and reconcile the new actual state ensuring we apply all changes from the desired state.
The question for security leaders is, how do we bridge the gap between the two concepts and continuously update our identity governance and access rights management to reach our desired state? For more information on how to close the gap and continuously ensure the desired state of access rights is maintained, and other best practices within the IGA program, check out the Omada e-book on IdentityPROCESS+.