The way organizations govern user identities and protect company information has changed significantly in recent years, and keeping up with best practices is critical to maintaining security.
In the not-so-distant past, most companies didn’t have an identity governance system per se—at least, not one worthy of the name. Instead, they created each user’s identity at the time of onboarding, granting the new worker access permissions based on those of the person who held the job previously. If the role was new, access was granted based on similar roles.
If you’re thinking that sounds like a process that cries out for automation, you’re right. Today, most sizeable companies have automated identity creation and access provisioning, saving time for HR and IT and allowing workers to get started on their jobs right away.
From a security standpoint, however automated access provisioning leaves many gaps. People change roles, get temporary assignments, and leave the company. Each of these events requires access changes (or access termination). To stay current—and to follow increasingly strict compliance regulations—companies have instituted periodic access reviews and certification, a process that is often done quarterly. That is the norm today.
The Problem with Access Reviews
Periodic reviews, however, are far from perfect. Busy managers, required to revisit access for each of their employees and contractors in addition to performing their regular duties, sometimes rubber-stamp approvals.
Even those who take the time to review can make mistakes. They simply lack the information they need to make an informed decision. If access to an app is allowed, that doesn’t mean people are actually using the application. But they might be, so in the interest of productivity, managers err on the side of keeping the settings in place.
Decisions like these lead to “access creep.” As users move from role to role, and as temporary access to sensitive data inadvertently becomes permanent, workers accumulate privileges they no longer need, violating the least privilege principle, a fundamental security tenet stating that people should only have access to the tools they need for their current roles—no more and no less.
Because each access point offers cyber thieves an opportunity, privilege creep broadens the surface of attack, making the entire organization less safe.
Overly broad access also opens the door to insider attacks, which have tripled since 2016, according to a 2020 IBM and Ponemon Institute report. While some are malicious, 63 percent are due to simple employee or contractor negligence, such as losing a device, downloading information to an unsecured site, or sending an email to the wrong recipient—the kind of thing that can happen at any organization.
Moving to Full Identity Governance
A full identity governance system closes the door to access mistakes and misjudgments. It allows companies to create detailed access rules and enforce them automatically at all times. It also helps managers make informed decisions.
When someone changes roles, the system not only resets access, it assesses the level of risk generated when each app, database, or device is assigned to a specific employee or contractor. It also reveals whether a worker is using the access they have been granted, and if so, how frequently. Then it presents this information to managers in an easily digestible format, enabling them to make decisions based on risks and facts instead of hunches and guesswork.
A full identity governance system automates the access review process and makes it continuous, so unauthorized or inappropriate access no longer slips through the cracks between reviews. For example, if an office administrator suddenly gains access to protected employee healthcare information, his manager receives an alert. The alert is not just a red flag. It reveals that 0 percent of other people in this role have received similar privileges, and it displays the risks that accrue to the organization as a result of granting it. The manager, who is responsible for introducing these risks and will be held accountable if something goes wrong, is far less likely to shrug her shoulders and stick to the status quo.
This same employee may suddenly gain access to a different app—one that merely displays the cafeteria menu. In that case, the manager would not be bothered with an alert at all.
Continuous and sensible enforcement of identity governance saves managers time, helps them make more responsible decisions, and enforces the least privilege principle throughout the organization.
A Connected System
By keeping managers informed and connecting with the security center, a full identity governance system lowers the risk of a cyberattack and limits the damage if one does occur.
For an example of how that capability works, consider the same scenario at two different companies.
At Company A, which does not have full identity governance, junior accountant Jim is asked to prepare sensitive financial data for a board presentation, and his manager OK’s the request to access it. During certification review the next quarter, the manager notices Jim still has access to this information. The manager doesn’t know whether Jim is still using this information, but he does know Jim has been taking on increased responsibilities in general, and decides to leave the permission intact.
On his way home after an exhausting day, Jim leaves his cellphone in a seat on the train. Before he even notices it’s missing, someone else finds it and hacks it. Before long, the thief has downloaded company’s entire financial database.
Things would have been different if Jim worked at Company B, which has full identity governance.
The governance system wouldn’t have prevented the loss of the device or its theft. But long before that happened, it would have flagged Jim’s access to critical data as a high, ongoing, and unusual risk to the organization. Jim’s manager would have received an alert explaining the nature and magnitude of the threat. He also would have learned that Jim hasn’t worked with the sensitive financial data since the last board meeting, anyway. Very likely, he would have reversed his decision to continue the access.
But even if he had decided to leave the access in place, the attempted download of critical information would have triggered another alert—this one to the security center, which would see information about the previous alert as well as the request to transfer an exceptional amount of high-risk data. As a result, it would have immediately shut off “Jim’s” access and stopped the download, saving the company from a serious breach.
Automating access provisioning is a great way to save time and boost security. But a full identity governance system does much more. By providing continuous enforcement of governance rules, assigning risk scores, presenting information to managers in a compelling and understandable format, and connecting with the security center, it adds intelligence and depth to automated processes. When people are aware of the impact their choices have, they are much more likely to make better security decisions.
To learn more about why full identity governance matters, please join us for the live Micro Focus Virtual Universe identity and access management sessions, or register now to view them on-demand.