With temperatures dipping and sunlight waning, winter is right around the corner for those of us in the Northern Hemisphere (particularly for those of us further North). One of the plusses of winter is the first snowfall. As we all know, snowflakes are each unique, with special characteristics that define them and differentiate them from one another. This, of course, applies to people too, as each person has different roles and responsibilities within an organization, some well-defined, others loosely defined, that are based on capabilities, tenure, personal relationships, and more.
Within the realm of identity security, it can be a challenge for businesses to maintain order when each identity requires different levels of access to applications, data, resources, and infrastructure, and so it can be helpful to categorize different types of identities so they can be sorted and kept track of. However, even then, figuring out the right levels of access that each identity requires within an application can be spliced in an infinite number of ways, making it challenging for administrators to feel any confidence in being able to securely provision the right access to the right people for the right reasons.
In a security-eutopia (the IT version of a winter wonderland, perhaps), each identity has a defined set of roles that make it so that people only do their assigned jobs and never need more access than what was generally defined. However, what’s more typical is teams set out to assign tailor-made access rights that are fit to each individual’s exact specifications, but this inherently creates a management nightmare. As discussed, each identity is special, so it’s reasonable to think they should have their own separate rules and tailor-made entitlements that keep everything nice and tidy. However, this is a deep rabbit hole that can soak up loads of time and resources.
Different Types of Identities
First, within any organization there is likely a huge variety in the types of identities. This can include full-time employees, contractors, third-party vendors, auditors, and more. Then, within each of those groups, there are sub-groups. For instance, employees can typically be broken down into departments: product, sales, marketing, finance, HR, whereas contractors can include outsourced IT, creative teams, supply chain management, and more. There are numerous ways to break down even the most seemingly similar identities, it could be by seniority, part-time vs. full-time, geographical location, or some other extraneous factor.
The point being, is that each identity can be, and typically is, categorized by several business contexts that make each identity special. If going one-by-one, or without a clear strategy for how to categorize identities based on role, it can not only be time-consuming, but also error-prone. Further, once these types of roles are implemented, it does not do much good in the way of maintenance. If individuals are assigned individually tailored roles based on job titles, or if new titles are curated, created, or if the individual is promoted or assigned to a new department, their access will have to be created from scratch, rather than iterated on. This gets even more complicated when considering all the different levels of access that are required within various business systems.
Different Types of Access Levels
Within those departments, each member will likely need separate levels of access. For finance teams, accounts payable shouldn’t have access to accounts receivable (and vice versa), and creative teams shouldn’t have access to an organization’s cloud consoles that may be managed by outsourced IT. Organizations need ways to avoid toxic combinations of work responsibilities like this. It’s obvious that each department, and each identity needs differing levels of access based on what their job functions are, but especially ones that pose innate threats.
Aside from the security risks, when someone needs access to something that they are not assigned, they will need an easy way to request, and gain access. These types of ad hoc access requests, which are actually quite frequent, need to be easy for requestors, and also easy for administrators to see what’s being requested, why, and be able to make business-justified decisions to either approve, or deny the request. It may seem like there should be a level of manual intervention for each request, but again, this can be quite time consuming. Instead, it’s wise to set up policies that can dictate, based on business context, risk, or type of application, whether access should be granted, or not. More intricate requests can continue to be routed to a human being for inspection, but if we try to tackle each individual one, it can result in rubber-stamping approval (unsafe), or too much time spent reviewing each request (inefficient).
What This Means for Identity Security
The concept of thousands of different identities requiring access to hundreds of different applications can seem daunting for administrators who are left to sort through the endless possibilities of entitlements and access combinations. However, this doesn’t need to be as scary as facing a foot of snow in the driveway before heading out to the morning commute. Modern Identity Governance solutions are meant to help with designing and crafting a role model to fit each organization’s structure and setup so that each identity is treated as an individual, but without stunting productivity for business users or administrators. Omada is a market leader in modern IGA and has been helping organizations implement foundational role modelling principles to help enhance efficiency, meet compliance mandates, and increase security.