It is not news to suggest that the number of digital identities in an organization have exploded in number, making it more challenging than ever for security teams to manage and enable every single one. Things get even hairier when organizations are tasked with configuring access rights to applications and infrastructure, otherwise known as entitlements, when people require access to a growing variety of cloud and on-premises resources. Recent Gartner research shows that the number of distinct entitlements has exceeded 5,000, on average, across different cloud service providers. Further, more than 95% of accounts in infrastructure as a service (IaaS), use, on average, less than 3% of granted entitlements. It is clear that IAM teams have their hands full as they try to walk the fine line between business efficiency and security, but what is clearer is that people, by and large, have too much access. Aside from being unnecessary, this can be quite dangerous for an organization’s cybersecurity posture.
The reason for excessive access seems straightforward, and even harmless in some cases. As people change jobs, roles, projects, or even depart an organization, they likely will need new entitlements to afford them the ability to do their jobs efficiently. As businesses rush to get these people equipped with these entitlements, however, they may not remember, or have processes in place to remove old access that is no longer needed as part of the new role. As people change jobs more and more frequently, this can lead to the entitlements creep, meaning an accumulation of privileges and access rights. Often times, these entitlements are no longer needed and will have no impact on productivity if they are removed. Despite this, entitlement creep is all too common amongst organizations. Without proper governance of who has access to what and why there are several downsides and risks.
Most organizations say they are deeply committed to the principle of least privilege. However, in recent research from ESG, 45% of organizations indicated that they have difficulty identifying which users have access to what data. Without proper identity lifecycle management to deprovision old access that is no longer needed, it is easy to violate this foundational pillar of identity security. This is a common flaw within entitlements management plans, as teams often times must import entitlements data from numerous sources (CSV files, HR systems, cloud infrastructure, application data, and more) in order to map who needs access to what. Further, businesses typically focus on productivity for its users as priority #1 and take a laissez-faire approach to cybersecurity. This is particularly the case when people need access to things quickly, as is often the case when third-party contractors are extended, employees change departments, or take on new responsibilities.
Mapping entitlements data from a variety of different sources creates challenges for IAM teams and auditors alike. As people accumulate entitlements, unused privileges can be a blind spot for IAM and security teams and over time can become an afterthought to remove. Orphan accounts are a huge component of entitlements creep, which we’ve covered the risks on in a prior piece, but as people hold on to access they no longer need, assigning ownership, or even discovering and correlating orphaned accounts can be a time-consuming chore that creates holes in monitoring of the environment. Additionally, when audits come up, without easy to track reporting and dashboarding, teams may spend large swaths of resources and time digging up data on who has access to what. At a minimum, time will be wasted, but frequently a failed audit can lead to financial downsides, reputational damage and more.
Chickens Coming Home to Roost
Unfortunately, many teams take a ‘we’ll deal with it when we have to’ mindset when it comes to managing and maintaining entitlements. Without a centralized solution it can seem gratuitous to even bother removing entitlements for people; they have had the access already, why worry about taking it away? However, this mindset can result in a mountain of unused permissions and entitlements and when an audit comes up, or a new organizational mandate is implemented to account for all access, it can be next to impossible to scramble to assign proper entitlements. Without proper, continuous hygiene for entitlements, there can be a snowball effect and there can be hundreds of thousands of entitlements to catch up on.
How Can I Combat Entitlements Creep?
The presence of a full-featured Identity Governance and Administration (IGA) solution should be able to manage the entire identity lifecycle so that when identities move from department to department, or as contractors’ contracts are extended, they are automatically provisioned with the proper access to do their jobs. This helps to solve the matter of enabling identities with enough access to be productive. However, IGA solutions also ensure that when access is no longer required to perform a certain job, that access is flagged and automatically deprovisioned. This is a primary IGA use case that can help prevent entitlement creep.
Second, organizations can use IGA to delegate the ability to create access packages through roles or policies that contain resources that identities can request, as well as who must approve that access. In order for people to make requests for access and have it granted; IGA needs to know what types of entitlements are available for people to request, as well as what entitlements are required for the job at hand. Tying in certification campaigns, to quickly verify if entitlements are still being used is also a core function of a full-featured IGA solution.
For more on key processes to implement as part of any IGA program, read more about Omada IdentityPROCESS+.