Identity Governance Blog

How Your Organization Can Manage Unnecessary User Access and Accounts With Excessive Permissions

February 22, 2024

In late 2023, Omada produced The State of Identity Governance 2024, a report that analyzes the most critical findings from a survey of more than 550 IT security and business leaders. The goal of the survey was to learn respondents’ insights on their organizations’ current identity governance strategies, the identity-related security threats that present the greatest concern to them, and what features they value most when looking for new identity governance and administration (IGA) solutions. See The State of Identity Governance 2024 report here and get access to the complete findings.

In the Decoding the State of IGA 2024 webinar, Omada Vice President of Product Strategy Rod Simmons and Senior Solution Architect Craig Ramsey analyze and break down the survey findings into actionable information for organizations that want to improve their IGA strategies. In this post, we review Simmons’ and Ramsey’s analysis of why more than 71 percent of  IT security and business leaders surveyed agree users in their organization have unnecessary access to systems and applications and how this challenge tracks their concern levels about identity-related security threats.

 

The Challenge of Balancing Efficiency and Security With IGA

Ramsey introduced his remarks with the retelling of an adage followed by two important questions: “Security is inefficient. Efficiency is insecure. But are organizations today truly limited to this binary choice? What can organizations do to reduce unnecessary user access and eliminate overly permissive accounts while maintaining efficiency and creating a secure environment?” more effectively.

Ramsay pointed out that legacy IGA and identity access management (IAM) solutions are cumbersome to the point that they are often perceived as barriers to both productivity and efficiency. Omada’s survey findings bear out this point. For organizations using legacy or in-house-built IGA systems, the number of respondents that report concern about unnecessary access to systems and applications and overly permissive accounts jumps to 78 percent versus 71 percent for respondents overall. If you are using a modern IGA solution and your organization has well-defined business processes, your IGA effort is helping enforce the principle of least privilege. You can ensure that the right people have the right access at the right time for the right reasons, so they have what they need to do their jobs. If an account is breached or compromised, a modern IGA solution enables you to mitigate the overall impact on the organization.

Modern IGA also enables functionality like just-in-time provisioning that gives users access to applications and data only when they need it, so it is not there permanently. This ensures maximum user productivity while maintaining security, meeting compliance requirements, and reducing risk. A well-appointed modern IGA solution will provide identities with the access they need and at the same time, create a good end-user experience.

 

IGA Delivers Critical Automation to the Process

Simmons built on Ramsey’s remarks, adding that modern IGA enables organizations to achieve efficiency, speed, accuracy, and consistent output – all at scale – and automation is the critical driver of this essential functionality. Any time there is a manual process involved, there is greater room for error that eats into the overall benefits your solution can offer. This is especially true with unnecessary user access and accounts that have excessive permissions. If you can get the automation of controls for user access and appropriate permissions right, the sky’s the limit for most organizations.

 

Overcome Barriers to Successful Access and Permissions Management

Simmons points out that many organizations are hesitant about the concept of revoking access, and this works to the benefit of attackers. In some instances, this is a good policy. For example, a financial services enterprise revokes access to users who should not have permission to make a high amount of wire transfers. On the other hand, if automation were to revoke access that a user needs to do their job, they must troubleshoot the problem, and this creates productivity loss. The result is organizations not implementing automation designed specifically to prevent this issue. In general, however, there are subtleties for which access and governance managers can account when automating access management. It is important to have a defined business process sufficient to instill confidence in the IGA solution and its ability to minimize productivity loss while delivering appropriate levels of security.

 

The Human Factor in Access and Permission Management

The key to having an effective business process for IGA is getting the right people involved, starting at the top of the organization and moving down. This evolution to a modern IGA is not only a technological change, but it is also a massive cultural shift to tell users if they do not need access, the organization is going to revoke it. It is human nature for users to want to hang on to access in perpetuity “just in case” and it must be clear that revoking unnecessary access is the right business decision. Getting buy-in across the organization is essential to driving down occurrences of accounts with unnecessary access or excessive permissions.

 

The Effect of Digital Transformation on Access and Permission Management

Ongoing digital transformation, accelerated by COVID has pushed more people than ever to remote work. In The State of Identity Governance 2024, more than half of respondents report more employees, partners, and contractors working remotely in their organizations since COVID-19. This is likely impacting IT professionals and business leaders’ concerns about access and permissions management. Organizations feel an urgency to get people productive from remote locations as quickly as possible which can lead to the granting of unnecessary access and overly permissioned accounts. It is important that in this effort, the established business process is not circumvented through unsound practices like shadow IT that can compromise any security strategy.

In large enterprises, particular departments managing digital transformation challenges may need a solution that their corporate IT team is not willing or able to deliver so they onboard their solution. As they go forward with their solution, at some point their IT team will need to manage the solution and this can also create access and permission issues.

 

Actionable Insights for Managing IGA in Your Organization

Learn more about how the findings of The State of Identity Governance 2024 should drive your IGA strategy in 2024 and beyond. In Decoding the State of IGA 2024, Omada Vice President of Product Strategy Rod Simmons and senior solution architect Craig Ramsey break down the findings regarding enterprise perceptions of identity governance from The State of Identity Governance 2024, delve into the insights uncovered, and provide key takeaways to help shape your organization’s identity and access management strategy.

Watch Decoding the State of IGA 2024 on demand

 

This is the third of a four-part series covering the highlights of Omada’s webinar, Decoding the State of IGA 2024. Read the previous blog in the series, Two Specific Identity-Related Security Threats Modern IGA Mitigates Most Effectively here.

Let's Get
Started

Let us show you how Omada can enable your business.