It is no longer just the c-suite and IT admins with access to privileged and sensitive information, writes David Higgins, Field Technology Office, at the identity security product company CyberArk.
Access to critical data, infrastructure and systems – goldmines for attackers – is being gained by identities of all kinds. According to our research, IT and security decision-makers report that, on average, more than half of their staff members have access to confidential company information. This is a situation accelerated and exacerbated by the hybrid working phenomenon of recent years.
As the extent and size of your organisation’s digital and cloud activities expand, the number of identities needing protection exponentially increases. It’s crucial to manage these numerous digital identities – from giving, modifying, and revoking authorisations to following audit requirements. Doing so securely is a challenge. And the list of challenges companies face is already over-long. IT teams are bogged down by time-consuming manual processes, antiquated technology and silos between apps, directory stores and data repositories. Workloads are also increasing in tandem, combined with an increase in stress levels and employee disengagement. While this is going on, economic pressures widen persistent resource and talent disparities.
So, in essence, the solution cannot add another layer of complexity. The answer may lie in taking a step back and evaluating what securing all of these identities means to them, whilst understanding the gaps that may exist in the current system of identity management.
The role of automation
Implementing least privilege is an effective step and it entails giving users the least amount of authorisations necessary to carry out only the tasks necessary for their jobs, like in SaaS systems where a risky action could compromise sensitive data. The issue is many firms struggle to securely manage the identity lifecycles of their personnel due to manual methods which are prone to error.
When considering the beginning of the lifecycle, new employees frequently have to wait days or weeks before being granted access to the IT systems, services, and applications they require. At some point, impatience can tempt employees to embrace shadow IT or look for other access points. Similarly, if an employee leaves the company, the IT team may need to manually run through a checklist of applications where they must remove access by hand. But, if the team member forgets to remove access for a certain app, or misses a critical step, the consequences could be detrimental. One missed step leaves the door open for threat actors to exploit misprovisioned, overprivileged or orphaned accounts — and attackers do this routinely.
This is where automated identity security can help – seamlessly granting and removing access with minimum margin for error.
So how can this be done?
Here are some steps you can take to bring a security-first approach to managing identities from a user’s start date to their last day:
Firstly, security teams need to centralise lifecycle management policies, controls and capabilities, using automated workflows for on-boarding and off-boarding employees whilst defining and enforcing each user’s unique roles, responsibilities, access rights and permissions. This approach can free teams from repetitive, error-prone tasks. Integrating these processes with your trusted HR software enables you to maintain consistency and accuracy between platforms.
Secondly, they need to federate identities across cloud and on-premises applications and systems, so teams can quickly provide access when users need it, adjust it when roles or risks evolve and remove it when users leave the enterprise. Automated workflows can help prevent privilege creep and orphaned accounts that attackers often exploit to launch attacks, steal data and more.
Lastly, security teams need to embrace real-time insight into potential risks — and the ability to act on them — based on automated tools that track areas such as application usage, failed login attempt, unused accounts and external threat data. This three-part approach provides a scalable form of vic through automated workflows designed to prevent risky actions by users and breach attempts. Identity security can be managed without stretching IT and security teams further, whilst removing the risk of human error. Security and IT teams can also use the time freed up to examine supplemental security tools and approaches to ensure an organisation maintains a layered cyber defence strategy.
