What You Don’t Know About Access Management Is Hurting You

The impact of COVID-19 has been far-reaching across nearly every sector. Millions of employees now work remotely, making companies particularly vulnerable when it comes to external access risks. Many organizations lack a centralized process to manage user access to accounts and resources. They often have limited visibility into access levels users possess to data and systems within their network. And they may be quickly adding or changing access levels to meet the needs of their remote workforce.

Increased pressures of an expanded workforce during the era of COVID-19, and the need to provide new and different access quickly, means increased risks from excessive entitlements and inappropriate access levels—opening the business up to serious breaches and new inroads to potential attackers. And with remote employees accessing company assets and data on multiple devices, sometimes personal devices, it’s more difficult to know who has access to what. IT professionals and security teams must understand where their greatest access risks exist before these blind spots end up hurting the organization. Let’s take a look at the top six identity-related access risks that your organization must be aware of—now more than ever—and learn how you can mitigate these risks within the current environment.

Six Critical Access Risks to Watch Out For

#1: Privileged Accounts

Privileged accounts are elevated accounts within your IT environment that hold the 'keys to the kingdom.' These types of accounts have privileges to access valuable data and execute any application or transaction, typically with inadequate or no tracking or control. Privileged accounts, which can number in the hundreds or more in some enterprises, are frequently not tied to specific individuals, so these shared accounts can be used to do virtually anything, with little or no oversight. When they are tied to individuals, often the full credentials are known to that individual, which increases risk further. Because of elevated access, privileged accounts have more significant risks than non-privileged accounts and have more potential for exploit or abuse. So it is essential to understand and manage privileged access within your environment, and recognize the significant risk it can introduce.

#2: Abandoned Accounts

These are accounts that belong to employees, contractors, or contingent workers, but have been inactive for a long period of time. Abandoned accounts magnify risk in an environment because they can be used by attackers to gain a foothold in your environment—all while no one is looking at these accounts. The presence of abandoned accounts likely indicates that a process is lacking or broken where accounts would normally be disabled when no longer needed.

#3: Orphaned Accounts

Orphaned accounts are not associated with a valid business owner and, similar to abandoned accounts, do not have proper oversight or governance in an organization. This means no one in the business is responsible for the account and the account is overlooked when access reviews are scheduled. Many times, orphaned accounts are created ‘out of band’ by an application owner or domain administrator—outside of the formal identity governance and administration process. 

#4: Unused or Unnecessary Entitlements

These are systems, applications or even permissions on an application that are not needed or used within an organization. Many organizations may not delete unused or unnecessary entitlements because they are afraid they might break something. As older applications are retired, or related processes are changed, and new applications take their place, the old security groups and entitlements are not cleaned up. This is a fairly common scenario during mergers or acquisitions, where large groups of users and applications are brought into the organization at one time. This significantly increases the overall number of security groups and entitlements, creates chaos and confusion, and magnifies overall risk within the business.   

#5: Segregation of Duties

Segregation of Duties (SoD), or separation of duties as it’s sometimes called, is the set of controls requiring that multiple people are needed to perform a single task or critical steps within a task. This is typically set up around preventing combinations of access or transaction rights within an organization that would jeopardize the financial integrity of an organization. This can span across multiple systems and applications. When appropriate segregation of duties do not exist, then individuals may have the ability to cause damage to the business. For example, if an accountant in an organization can both create and approve a purchase order, then an essential SoD has not been established to prevent account abuse.

#6: Nested or Hidden Access

Many organizations today look primarily at access that is directly assigned to employees, contractors, or contingent workers. But nested access, or access relationships stacked and hidden underneath the top tier of access, are often overlooked and not well understood. Why? Because assigning one entitlement that has nested access can actually create more access than anticipated and open the organization to more risk.

Start Revealing Critical Access Risks

Mitigating identity-related access risks during this challenging time requires knowing who and what is most vulnerable in your environment. And that takes both intelligence and action—revealing any inappropriate access that exists in your business and adopting a least privilege approach for managing access. With your work from home population growing virtually overnight, you need to quickly identify who has more access than needed across your organization.

But you can’t act upon what you don’t see. You must take an active role in mitigating access risks through intelligent identity governance solutions. As part of the Core Security Identity Governance and Administration portfolio of solutions, the Access Assurance Suite is an intelligent identity and access management (IAM) software solution that enables organizations to deliver informed provisioning, meet ongoing regulatory compliance, and leverage actionable analytics for improved identity governance. Don't ignore the importance of dealing with access risks that could post a real threat to your organization today.