Skip to main content

Automate or else: How to defeat permission sprawl once and for all

(Image credit: Image source: Shutterstock/Vasin Lee)

What goes up must come down. Or so the saying goes.

The exception to the rule appears to be the number of access rights piling up in your organization.

As we continue moving to increasingly digital ways of working, the number of apps, entitlements and permissions is only going to increase. 

We see this trend clearly in the accelerated movement to the cloud with increased adoption rates of SaaS, IaaS, and other XaaS environments. This means that organizations are more reliant than ever on identity as the key to accessing their tools and resources.

On the business side, we have to empower our organizations to do more and with greater speed than ever before in order to stay competitive on a global stage. The reality in most organizations is that users have more power than ever to connect to high-risk applications and data. 

But with great power comes great responsibility.

Managing more identities with more access means more risks of compromise and a wider threat surface that has to be secured. In 2021, organizations know that they have to manage these identities, but the complexity of the situation is long past the point of being manageable with legacy tools and manual processes. 

Adding to our challenge is the fact that we are also sharing more access to systems and data with users outside of our organizations, exposing our assets for valuable collaboration while adding risk from an ever-expanding threat surface. 

Sometimes I wonder if anybody is even tracking if users outside the organization retain access to these assets long after they have any legitimate reason to do so? 

Given the scale and complexity to be managed here, we are left with a couple of takeaways that organizations have to consider if they are going to remain secure and compliant moving forward.

Automate everything

Prior to 2020 and before work-from-home became ubiquitous, mid-sized companies were already reportedly using on average 137 SaaS apps like Salesforce and O365. That number is more than double for enterprises and does not include the range of infrastructure and other XaaS cloud services that have taken over as the way that work gets done. 

Keeping track of all the identities and permissions associated with these apps is a Sysaphean task under the best of circumstances. And it’s downright impossible to accomplish manually. 

At the same time, the scale of the task is going up, the skilled security talent needed to keep the train on the tracks are consistently under-resourced. Even in enterprises that have people dedicated to handling IAM security, the scale outstrips any team’s capacity to keep their organization secure and compliant. 

The good news is that every organization knows that they have to automate. The question is not if, but how far can we go?

​​We see this challenge time and again with access reviews. Solutions have been on the market for some time now that help prepare and manage campaigns. But these tools, while an improvement, still require significant human interaction in terms of having the individual managers review and approve each of the entitlements on their list.

Our goal should be to automate just about everything possible and only bring in a human decision-maker for the really tough calls where we cannot define business policies to accurately determine who should have access to what. Automating basic entitlement decisions should be our default — especially when we have the data necessary to drive those choices already in our hands.

Be continuous

We need to break away from the “point in time” is “good enough” mindset. If you are not operating your identity management program on a continuous basis, then you are opening yourself up to preventable security and compliance gaps.  

For example, if an employee leaves the organization but is not fully off-boarded immediately, then you leave open a window for them to steal or destroy valuable data. Similarly, failing to identify over-privileged identities or changes to admin accounts when they happen in real-time can lead to similar issues.

What is needed are guardrails that are continuously monitoring for violations of policies, and can kick off a workflow automatically in time for the measures to be effective. Guardrails can act like a lane departure warning on modern cars. They give your organization a heads up that something bad may happen and let you decide how and when to take action.

Not all access is the same

In the ever-expanding cloud environment, you can’t manage access to all applications and data the same way. There's simply too much access to manage. 

The key is focus and the ability to prioritize. 

Know where your assets of greatest risk are and manage them first. In the past, no one locked public information away in a filing cabinet and the same is true of digital data. By understanding the organization’s critical risk apps and data, you can prioritize and focus controls on those areas.

Time for a change

Now is the time to start a conversation on how to manage the ever-increasing amounts of digital access within your organization. And don’t forget to include the auditors and regulators as part of the approach to restructuring your organization’s controls and compliance reporting. 

The status quo is no longer enough. When access reviews became part of the compliance checklist, organizations were only managing a relatively limited number of resources. Now there is pressure to review everything, whether it is a “high-value” asset or not. 

More than a few folks managing these campaigns have told me that the only way to complete them on time is simply to have the reviewers “rubber stamp” approvals across the board. When the only way to be compliant is to defeat the purpose of the exercise, then we know that something has to change. 

By investing in solutions that are capable of handling the vast majority of the workload on their own, reviewers can focus their efforts on the tasks and decisions that are most deserving of their attention. 

Over the long run, expectations from auditors will have to adapt to meet the conditions on the ground. This means moving away from the periodic, manual processes, screenshots, and spreadsheets towards a smarter, automated system that auditors can trust.

Paul Trulove, Advisor, Authomize