3 Practices That Leave Gaps in Your Identity Security – And How to Fix Them
By Arun Kothanath, Chief Security Strategist
March 7, 2024
Digital initiatives and changes in the workforce model are increasing the number of identities you need to manage. And increasing your exposure.
Identities are now one of the top attack targets. IDSA recently reported 90% of companies experienced an Identity-related breach in the past year. There is growing urgency to protect identities as a first-line of defense, though clearly there is much room for improvement.
It’s also not that simple.
Similar to the digital ecosystem that modern identities navigate, protection is a complex mix of strategy, technology, and expertise. It also should ensure that business objectives – and user productivity – are not hindered by restrictive controls. This can be a difficult balance to achieve. Choosing an Identity Security solution, especially amid a constant barrage of new trends, tools, and emerging threats can feel scattershot – leaving you with some nagging questions: “Did I purchase the right solution?” “Do I have all the components?” “What am I missing?” “Will the use of multiple Identity tools leave unseen gaps in our security?”
The answers, of course, depend on factors that are unique to the context of your Identity needs and business. Identity Security solutions are not “one-size-fits-all.”
Mind the gap(s)
While the IDSA report noted the rise in Identity-related attacks among its survey respondents, it also observed that 96% said they could have prevented or minimized the breach.
Surprising? Not if you know what’s causing your exposure.
Here are 3 practices that leave security gaps. Adjusting these practices will go a long way to improving the effectiveness of your defenses and reducing your Identity risk – regardless of your specific needs or where you are on your Identity Security journey.
Excessive permissions
The problem: The more permissions a user has the more resources an unauthorized user will have access to if those credentials are stolen. Over-permissioning, therefore, unnecessarily exposes your resources and data to risk. Common practices can foster over-permissioning. Companies that follow a “model after” method, for instance, manually assign access to new users or roles based on the permissions of similar users or roles – potentially permitting more access than they really need to perform their jobs or tasks. Neglecting to review existing permissions and simply adding on new permissions when users are promoted or switch to a different department also can result in over-permissioning.
The fixes: Apply the principle of least privilege (PoLP) when assigning access to human and machine identities. PoLP ensures that users will have access only to the resources, data, and applications they need to do their job – and nothing more. The practice of just-in-time access allows you to assign additional permissions as-needed or for a specific amount of time. Automation and AI tools can help streamline and enforce consistent permissioning efforts to reduce the number of unnecessary, unused, and orphaned accounts that can be exploited by a malicious insider or external attacker.
Not managing the lifecycle
The problem: Many companies consider access provisioning a “set-and-forget” effort. But managing identities doesn’t stop with onboarding. User roles change over time, and as they do, their entitlements often do too – and existing permissions may no longer be needed or appropriate. Deprovisioning access for exiting employees and third parties is just as critical – 83% of respondents in a recent survey said they continued to access digital assets of a previous employer after leaving the company.
The fixes: Automation and AI technologies can replace manual efforts to ensure that repeatable tasks and policies are applied consistently and on a timely basis. But a technology-only solution is not enough. It is important to also collaborate with stakeholders with clear business objectives (e.g., finance, HR, IT) to implement strict policies and processes for proactively managing identities over their entire lifecycle – from provisioning to deprovisioning and everything in between. Unused, unnecessary, and orphaned accounts should be shut down, eliminating any risk of exploitation.
Too many tools
The problem: If you tend to “tack on” solutions as specific Identity needs arise, you’re not alone. A recent survey shows that 96% of companies use multiple Identity management tools and 70% pay for Identity management tools they don’t actively use. But too many tools can be costly to implement, maintain, and operate. A lack of interoperability among solutions from multiple vendors results in fragmented systems that limit visibility into who is accessing what and how that access is being managed. Overlapping features and functionality may even create gaps leading to unanticipated or unknown Identity risks.
The fixes: Simplicity should be a key goal in your selection and deployment of technologies. A first step toward simplification is assessing what Identity capabilities you need versus what you have. Optimizing your broader existing investments can allow you to eliminate multiple point tools with redundant capabilities (tech consolidation). If you don’t have the internal expertise or resources to streamline your supporting Identity technology, a managed security services provider (MSSP) that has the technology and expertise available on-demand is a cost- and time-effective way to bypass internal tech complexity.
The road to Identity maturity
An Identity Security program is not one-size-fits-all. And while technology is essential, it’s only part of the solution.
To effectively secure your digital identities in programs that drive bottom-line business value and outcomes, your requirements for Identity must be strategically aligned to the unique context of your business and its stakeholders.
Ultimately, modernizing your defenses based on a sound strategic roadmap involves integrating multiple technologies – automation, AI, and end-to-end IAM-PAM-IGA capabilities – to enable the secure digitalization of your business.
In the meantime, as you work toward strengthening the effectiveness of your Identity Security program, amending any practices that leave security gaps – including the 3 that we’ve outlined here – will help you proactively reduce your company’s overall Identity risk.
Whether you are just beginning your Identity Security journey or are on the path to maturing your defenses, Clango can optimize your efforts. Learn how we can help.