As organizations have made the transformational shift to a remote and hybrid workforce, IT and security teams are feeling increased pressure to better manage access to sensitive data and systems. The rise of a remote and expanded workforce has put additional strain on organizations and increased the potential for identity-related access risks.
To combat these access risks, identity and access management (IAM) has become an even more critical part of an organization’s overall risk management strategy in the new normal. IAM enables the creation and management of user accounts, roles, and access rights for individual users in an organization. In fact, the 2021 Identity and Access Management Report indicates that 87 percent of organizations view IAM as very to extremely important in their risk management and security posture.
In this blog, we will examine the critical access risks that must be considered with the rise of a hybrid workforce, the role IAM plays in mitigating these risks based on insights from the 2021 IAM Report, and specific identity and access management strategies to bolster security within the business.
Critical Identity-Related Access Risks in Hybrid Work
More than ever before, it’s essential to understand where the greatest identity-related access risks exist. With just 54 percent of organizations reporting they are confident in the effectiveness of their IAM programs, recognizing these access challenges is the first step in addressing them. Moreover, according to the 2021 IAM Report, 77 percent of organizations have indicated that over-provisioning, or providing more access than is needed to do the job, is a known issue within the business. Let’s take a look at just a few of the top access challenges to be aware of, especially within the hybrid work environment:
- Over-Provisioned Users (Short-Term Requirements): With the sudden increase in needing to allow for a remote workforce, many organizations focused on the issue of business continuity, ensuring that a remote workforce could continue to be effective even when no longer working from within the confines—and security—of a corporate office. As a necessity, remote access, virtual private networks (VPN), and additional user accounts were enabled. But without additional controls in place, situations arise where this added access can result in users having more access than needed to get the job done—going against a least privilege access approach.
- Over-Provisioned Users (Long-Term Requirements): Over time, users can also accumulate access within the organization. This leads to over-provisioning, where individuals have more access than required to perform their jobs. Again, to combat this, a least privilege approach in concert with a zero trust security model is ideal, where users have the least amount of access provided and no access is granted until demonstrated it is necessary.
- Abandoned Accounts: These are accounts that belong to employees, contractors, or contingent workers, but have been inactive for a long period of time. Abandoned accounts magnify risk and likely indicate that a process is lacking or broken where accounts would normally be disabled when no longer needed.
- Orphaned Accounts: These are accounts not associated with a valid business owner and do not have proper oversight. This means no one in the business is responsible for the account and it is overlooked when access reviews are scheduled. Many times, orphaned accounts are created ‘out of band’ by the collaboration tool owner or domain administrator—outside of the formal identity governance and administration process, and are unnoticed and left orphaned if the owner departs the organization.
- Unused or Unnecessary Entitlements: These are systems, applications, or even permissions in collaboration tools that are not needed or used within an organization. Many companies or departments don’t delete unused or unnecessary entitlements because they are afraid they might break something. When new tools are introduced, and older applications are retired, old security groups and entitlements are not typically cleaned up.
- Privileged Accounts: These are elevated accounts that have access to valuable data and can execute any application, collaboration tool, or transaction, typically with inadequate or no tracking or control. Often, hundreds of privileged accounts can be found in organizations and can be used to do virtually anything, with little or no oversight, leaving them for greater potential of exploit or abuse.
- Nested or Hidden Access: Many organizations look primarily at access that is directly assigned to employees, contractors, or contingent workers. But nested access, or access relationships stacked and hidden underneath the top tier of access, are often overlooked and not well understood, especially within collaboration tools. This happens because assigning one entitlement with nested access can actually create more access than anticipated and open the organization to more risk.
The most common sources of these access risks arise from changes in the business, in addition to the needs resulting from a remote workforce. These include hiring, now seeing a spike in most industries, promotions and transfers, and M&A activity, infrastructure changes, including new or different systems, applications or platforms, and insider threats, including inadvertent, negligent or even malicious actions among bad actors. Each of these factors occur regularly within the business and have a significant impact on the level of access risks experienced by organizations.
In fact, according to the 2021 IAM report, some of the top negative impacts that organizations have experienced from unauthorized access to sensitive data, applications, or systems in the past 12 months include disrupted business activities (22 percent), system downtime (21 percent), reduced employee productivity (20 percent), and deployment of IT resources to triage and remediate the issue (19 percent), among others. With so many different areas of access risks and avenues for threat actors to enter, it is critical to understand the role that IAM plays in addressing these risks.
How to Close the Gap on Identity-Related Access Risks
Now let’s take a look at three specific IAM strategies that companies can focus on to bolster their security posture:
#1: Strong Policies
Having strong policies in place is extremely important in establishing a solid foundation for an IAM program. Too often, many small or medium-sized organizations start with manual processes and management, but as the organization grows, so does the number of devices and applications needing access. This can quickly get out of hand if there aren’t clear policies in place.
Many of the aforementioned identity-related access risks stem from poor or no policies in place. Remember, it’s not enough to just create the policy, but you need a way to enforce and monitor how things are going. And you need to determine upfront what should be done when you find access that violates the differing policies.
#2: Periodic Access Reviews
Periodic access reviews are essential to ensure things are staying up-to-date in your organization. These include manager reviews, application owner reviews, role reviews, and even micro-certifications. Micro-certifications are real-time access reviews done at a point in time for a specific user or small set of users, focused on access where risk is seen. The purpose is to review the access that has been granted right away, typically given through out-of-band channels, rather than wait for periodic reviews, and identify why access was granted outside the standard system.
#3: Prioritize Role-Based Access
Role-based access control is restricting or providing access to resources based on a user’s role within the organization. Using roles, organizations can have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs, and what access to grant and remove. Roles aren’t directly tied the title or position someone has, but rather defined by the access they need.
Think of a role as a collection of access privileges typically defined around a job title or job function. Prioritizing roles keeps your organization more secure by helping enforce the principle of least privilege. According to the 2021 IAM Report, 60 percent of organizations view role-based access control as the most critical IAM capability within their business. Yet only 48 percent are, at best, somewhat effective in their ability to design roles.
Embracing a role-based approach in your business simplifies identity governance, especially as your business grows or changes—whether through individual changes across the user lifecycle, seasonal additions to the workforce, or more institutional changes, like mergers and acquisitions. Plus roles allow you to more quickly and accurately perform business-friendly, accurate access reviews and certifications.
The Ultimate Goal is to Help Your Business Become More Secure
IAM technology exists to help you do more with less, even with a remote and hybrid workforce, and make your programs and policies more effective. Today’s IAM tools, like the identity solutions from Core Security, can empower you to do just that. In addition, they can help you meet increasing auditor demands, enable your business to prepare for growth, and support your organization in becoming more secure—especially across an expanded workforce. Ultimately, IAM technology should help you quickly reveal and remediate access risks in your business and bolster your risk management. Take the first step by seeing what access looks like in your organization and learn how you can embrace a role-based approach to access today.