There’s a movement among certain analyst firms to promote the idea of eliminating access controls for all but the most sensitive data. It’s an interesting thought born out of a need to make user access easier and reduce the burden on IT to maintain identity and access management controls.
Even if we choose to make information access more open in the future though, regulations aren’t going away. It’s critical to demonstrate to auditors that you are limiting and managing access to sensitive resources and data from a compliance perspective. But an effective identity governance program can do far more than just grant or restrict access—it can be a tool to minimize risk and strengthen your overall security posture as well, if you can close the loopholes.
It makes sense that IT organizations make it a priority to solve compliance pain by implementing whatever tools or controls are necessary to satisfy auditors. Compliance frameworks are a good starting point or foundation for effective security, but there are loopholes that can be exploited by attackers in the way that identity governance is typically implemented in most organizations today.
The first loophole relates to the fact that business managers simply don’t care much about compliance or security, yet we are placing the burden of risk management on them when we ask them to certify access.
The result is rubber-stamped approvals that leave an expanded vulnerability footprint. When individuals take on new roles or move from one team to another there is often privilege creep—lingering access to resources or data that the individual no longer requires. There are also issues with stale accounts that are active on your network even though the individual has left the company, or orphaned accounts that don’t seem to belong to anyone in particular. It is easier for an attacker to abuse insider credentials when those privileges aren’t being regularly used.
The second loophole goes back to the tunnel vision on compliance. It creates a false sense of security to get an approval from audit. But compliance should be an outcome of good security, not a means to an end. Just because a user has appropriate access rights doesn’t mean they won’t abuse them.
The result is unforeseen risk exposure from legitimate users who could misuse or mistakenly expose their privileges. Or more likely, outside attackers who are constantly working to obtain legitimate credentials through social engineering, phishing attacks or malware downloaded from web pages, with the intent of exploiting those credentials to steal data. This is what happened in the Anthem, Target, OPM and many other high-profile attacks.
The third loophole is presented by the blind spots created by point-in-time access certifications. If access reviews are performed every six to 12 months, as is common in most organizations, what happens in-between the reviews? People change roles or leave the organization. Projects end. Yet those privileges remain longer than is necessary, even if good certifications result in accurate revocations every six months.
The result is large windows of time for an attacker to exploit a compromised account.
In order to close these loopholes, identity governance must become far more dynamic. The future of effective identity governance is one that needs to provide better contextual information for business managers at the point of certifying access, such as highlighting orphan accounts, so that rubber-stamping is reduced. It includes information about what users are doing with their access, with abnormal activity exposed and risk scoring to support better decision making. And it includes adaptive certifications that ask a manager to review entitlements when risky behavior occurs, to eliminate blind spots in-between certifications.
Identity governance has played a role in keeping organizations compliant. It’s time that it provides your organization with visibility and control over access in an adaptive way so that it can be an effective tool for minimizing risk.
