Identity Governance Blog

Implementing Least Privilege with Modern Identity Governance

By Andrew Silberman, Product Marketing Director at Omada

October 25, 2021

Sacrificing Security for Efficiency

Too often businesses will forsake security in the name of business efficiency, but it does not have to be this way. It should be noted that this is no fault of security or IT teams; businesses today move fast, and with the persistence of remote work and increased cloud adoption, the traditional network perimeter has changed dramatically, requiring a new approach to identity management that marries efficiency with security. The principle of least privilege requires that employees only have access to the resources, information, and data that are necessary to do their jobs. For example, a sales executive does not require access to spin up new virtual machines, and therefore should not have access to the cloud console. There is another element of least privilege that time-bounds access so that the identity only has access to what they need, when they need it. This is also sometimes referred to as just-in-time access.

There are many tools out there that can help implement least privilege and just-in-time access, but it starts with identity governance. Modern identity governance solutions help organizations implement least privilege by first ensuring that identities only have access to the right applications, that users are not able to perform tasks outside of their job roles, easily managing users throughout their lifecycle, all while maintaining audit logs of who did what, when, and why. Modern identity governance solutions help organizations perform all these tasks without making it burdensome for IT and Security teams to maintain order. Once governance controls are implemented, organizations can then take the next steps in their least privilege programs, but without assigning access rights tailormade to each identity, it is an uphill climb to be able to truly achieve and maintain least privilege.

Role Based Access Control

A critical element in achieving least privilege is assigning access based on someone’s job function, role or title, often referred to as role-based access control (RBAC). RBAC restricts access based on roles to keep guideposts in place so that people’s job function corresponds with the level of access they require, but also works to simplify how people are assigned access. Within a modern identity governance solution, in the back end, roles can be defined and created so that users who have the same or similar jobs are assigned with the same access rights to the same systems. These roles can be described based on responsibility, department, projects, and more, and can be leveraged by administrators to easily roll out proper access rights. In the effort to achieve least privilege, setting up repeatable processes for which users need access to which resources, this is a nice, templated way to get access assigned in a standardized fashion.

Identity Lifecycle Management

Throwing an additional wrench into maintaining least privilege is the fluidity of employment at every organization. Each month new employees are hired, and third-party vendors are contracted. Every year (if not more frequently), people are promoted to new roles, or change departments, and employees decide to find employment elsewhere, are let go, or retire. It can all be complicated to ensure that employees have the proper access they require in accordance with new roles, but only for the right period of time. This elicits components of both least privilege and just-in-time access. Modern IGA solutions should enable administrators and practitioners to manage the entire lifecycle of each identity to ensure that as employment and/or contractual status changes, each identity does not have excessive or unneeded permissions.

Segregation of Duties

Once access has been assigned, maintaining order by ensuring that each identity continues to only access what they require is critical. Businesses need checks and balances as a way of retaining order and to ensure that unilateral (and risky) decisions are not made without effective oversight. Naturally, businesses have multiple people that fill various functions across the organization and separate out critical functions of various processes to more than one person, department, or job function. This is to help hedge the risk of one person gaining too much autonomy and power to perform tasks that should be aided, checked, or otherwise collaborated on by others. Imagine a software developer who can move code from dev to test to production without any checks or balances. Or imagine someone in Finance having access to accounts payable and accounts receivable. These are both examples of toxic combinations that should never come into play, and ideally least privilege concepts are already enacted to prevent them. However, if this is not, modern identity governance solutions should be able to implement Segregation of Duty (SoD) constraints so that identities do not have toxic combinations of access rights and allow managers to evaluate situations in real time.

Implementing least privilege is a continuous process that requires modern identity governance to help institute: efficient workflows for business users and administrators, role-based access control, identity lifecycle management, and segregation of duties. Omada is a global market leader in modern IGA, that offers a full-featured, enterprise-grade, cloud native IGA solution to enable organizations achieve compliance, reduce risk, and maximize efficiency.

For more information on how to effectively implement Omada Identity Cloud in 12 weeks or less, click here:

Download Product Brief

Let's Get

Let us show you how Omada can enable your business.