Part 1 of the Improving Your Security-Efficiency Balance Series:
Organizations of all sizes today face a unique balancing act when it comes to user access. Employees require access to multiple organizational systems, applications, and data to successfully do their jobs—from human resource information systems (HRIS) and customer relationship management (CRM) platforms to accounting software, patient care systems, or collaboration tools. Yet granting user privileges to these systems inherently creates risk to the organization. Data can be misused either accidentally or maliciously. For example, accidental breaches can be caused through inadvertent insider attacks that arise from malicious activities like social engineering attacks from phishing emails in attempt to gain access to privileges that have already been granted. Organizations can also be directly targeted by hackers attempting to gain credentials to penetrate the organization. However, access to these systems is paramount for enabling the business and for achieving the level of operational efficiency that is necessary to compete in today’s business environment.
Identifying how much your company should lean toward organizational security versus user efficiency requires a thorough understanding of the most pressing issues associated with managing user access. Organizations must determine whether to prioritize security concerns at the cost of the user experience or emphasize the ease of the user experience in accessing company systems at the expense of security. In Part 1 of the Security-Efficiency Balance Series, we examine essential identity governance challenges that companies face and explore why achieving this balance is crucial within organizations today.
Critical Identity Governance Challenges Organizations Face Today
One of the primary challenges that result when a company emphasizes security over efficiency is that employees struggle with accessing company systems or are required to jump through multiple security hoops each time they want to access business applications. On the opposite spectrum, companies may focus too much on creating an easy user experience or increasing employee productivity so that organizational security suffers. Too often, organizations lean more heavily on one side or the other. But the optimal solution is to treat both security and user efficiency equally and to look for Identity Governance and Administration solutions that take both of these elements into account.
For example, companies that implement multi-factor authentication (MFA) programs, which require more than a single identifier for identification verification, like a password, push notification to a mobile device, and a voiceprint or fingerprint ID, may overwhelm users with access restrictions. These policies can potentially become excessive in requiring users to perform MFA each time they want to access a business system or application. While this process is highly secure, it will likely start to affect employee efficiency and productivity. As an alternative, organizations could consider combining multi-factor authentication policies with adaptive authentication, which allows some of the security checks to be bypassed depending on a user’s risk profile and tendencies—adapting the type of authentication required. So in this case, if a user had logged into the device earlier in the day, then he or she could skip a subsequent MFA step since it was already verified in an earlier request.
The Frequency of Privileged Access Violations and Other Access Challenges
When users have access privileges that they shouldn’t have as a result of overprovisioning, it creates unwelcome opportunities for potential risks within organizations. According to a recent report from EMA titled ‘Responsible User Empowerment: Enabling Privileged Access Management (PAM),’ 76 percent of organizations reported a violation of privileged access policies within the last year. This means that users had accessed a system or application where they were not supposed to. These types of incidents create a big threat for companies, particularly when it comes to regulatory compliance. As part of increasing regulations today, including GDPR, SOX, HIPAA, and PCI-DSS, which require organizations to limit user access, the reality for companies is that there are so many systems with so many access privileges that it’s extremely difficult to understand what privileged access employees need and then control that access without the right identity governance solutions.
Research from Cybersecurity Insiders also supports the complexity of access challenges today. According to its 2019 Identity and Access Management Report, more than 70 percent of users have more access privileges than required for their job. When employees have more access than they need, hackers have the opportunity to target users with elevated access levels and the risk of insider threats is increased. One particular issue is that employees don’t always know or understand what access they need. And they may end up asking for and being approved for more privilege than they require. This risk is even higher if these excess privileges are unused because nefarious access can go undetected.
Another access challenge within organizations includes underprovisioning employees. While it is better to err on the side of giving users too little access than too much, and to maintain a policy of least privilege access, underprovisioning can lead to a lot of frustration internally, especially for roles that require greater levels of access. When you do not provide enough access, it can disrupt productivity for the entire team, and it means specific users do not have the right access to do their jobs. For example, if a senior accountant does not have the right access levels to approve purchase orders, projects can be delayed, other employees may be tasked with approving, or in some cases, the approval may be skipped. Lacking enough access privilege also leads to increased helpdesk requests, tying up IT resources that should be spent on more important projects. Underprovisioning can also lead to increased risk. Even if an employee lacks necessary access to effectively do their job, the business needs to move forward, and this often results in credential sharing throughout the organization.
The Challenge Will Continue to Grow Without the Right Approach
With a growing number of systems, devices, applications, employees and even non-employees to manage as part of a contingent workforce, the complexity of identity and access management will only continue to increase for organizations that do not have a solid approach to identity governance and administration or access management. Manual provisioning processes, insufficient visibility into existing accounts, and lack of automation significantly contribute to these challenges, magnifying the time and resources required to oversee and manage user access. Because many organizations still lack a centralized process to manage and audit user accounts, companies often have very little visibility into the actual access levels users possess. Combined together, these factors make it very difficult to limit risk within the business, especially as new employees join or leave the organization.
Strategic, intelligent identity governance and administration truly improves and enhances the way organizations approach access management. IGA creates the right balance between security and user efficiency, allowing companies to do more with less. In Part 2 of the Improving Your Security-Efficiency Balance Series, we will provide six specific ways to ensure that your organization is giving the right access to the right people at the right time.