Identity management and access governance is critical for enterprises in a world where the threat and regulatory landscapes are continually evolving. A lack of access control and automated provisioning can be costly for your organization, in more ways than one. It means new employees and contractors may be given access to systems they should not have access to and that can inadvertently put your company at risk in terms of cybersecurity.
But at the same time, you want to avoid throwing out the baby with the bathwater, so to speak. You don’t want to have to make it overly difficult for employees to access those assets and data that they need to use for their jobs – because that runs the risk of severely hampering productivity and efficiency, not to mention just being a plain nuisance.
What’s needed is a way to do context-based access, without it becoming too burdensome. It has been challenging to know how to lock down your data to minimize risk of data breaches and consequently reputational or financial damage. What permissions does each user truly need? How do you make sure that provisioning procedures are administered uniformly across the enterprise? How do you keep track of authorized and unauthorized access? And how do you enforce access policies across heterogeneous systems and applications? The question finally is: How to implement the core “least privilege” security principle in a user-friendly, non-obstructive manner in today’s hybrid IT landscapes?
This is where the proper application of automation can play a huge role.
The evolution of identity management in a WFH world
The traditional perimeter was becoming a thing of the past long before Covid-19 prompted a mass shift to remote work. What this shift has meant is that people went from working within enterprise networks that are closely monitored and secured to a largely unmonitored and often unsecured Wi-Fi network at home. It also means a great new opportunity for cybercriminals. With most users going from being inside to outside the reach of perimeter-based security tools, it’s very likely that companies will have higher exposure to network and phishing attacks.
In this new environment, identity is the new perimeter, and with this comes an enhanced imperative for identity management and governance, as a basis for tight control of proper access. In fact, a new report from Enterprise Strategy Group found that 93 percent of business and IT professionals surveyed said that remote work has necessitated the re-examination of their organization’s IGA systems and processes.
This need isn’t just due to the increased number of remote employees but also due to the need for governance of external identities. This includes the multiple temporary employees, contractors and business partners many organizations have and who need access to corporate systems and applications.
The need for contextual analysis and context-based access
Users’ access needs – and where they are accessing assets from – aren’t static; they change frequently depending on a number of factors. In the case of an employee now working from home, they still need to be able to access the same items that they could from the physical office. A user on a business trip is another example.
In most organizations, a user normally acts in various “contexts.” They might work part-time in different positions, or move inside the organization as an apprentice between different tasks within a short timeframe. They might need to access specific resources while working in a temporary strategic project, or they might be on family leave and don’t need access during that time, which means accounts should be locked, etc. Upon any change, unnecessary access should be terminated, but required information also must be available instantly to fulfill the job.
These examples demonstrate that organizations need a way to be able to implement contextual access management. With context-based or context-aware access, you can establish granular access control policies based on certain attributes – such as user identity, location, IP address and any organizational context – which gives you control over which apps and assets a user can access, based on the specific situation.
Avoiding overload with automation
Context-aware access is necessary, but trying to do all of it manually will never scale. It is complex, time-consuming and inefficient to manage access rights for thousands of users across an organization manually while still trying to retain consistency across various systems. Inefficient administration inevitably leads to an unacceptably “relaxed” way of managing access because it is hard to react on every contextual change properly. It also creates a high risk of error. If too much access is given to a user, you are open to insider abuse, but also hackers who gain access through unused or poorly managed accounts, giving them direct access to a company’s assets.
Having full control of the access rights, which are constantly changing in a complex mix of users, IT systems and organizational structures, is no mean feat. This is where an automated identity and governance solution can play a key role. This type of solution provides automated reaction to changes using context-based policies; recertification; automated control of policies, detection and remediation of risks; and role-based access control (RBAC.)
With RBAC, instead of managing user access rights on a granular level, user access rights need to be consolidated across various systems to a set of roles. You can assign roles to system users, and through these roles, grant them permissions needed to perform particular functions. Users are not assigned permissions directly but rather acquire them through their assigned role. So, if someone joins the company, goes on leave, moves departments or leaves the organization, it is easy to manage and remain in control of their access rights through the different roles they have.
Another benefit of this approach is that it enforces access management policies by roles, according to regulations and policies, enabling an organization to apply sets of roles for simple and consistent permission management across numerous systems and users. It also enables business-level control of access rights by using roles to match user permissions to the organization, increasing transparency through the documentation of requests and approvals. This makes making preparation for audits and compliance reporting – with full audit trails – easy.
Automate to reduce risk
Identity management is critical, but there’s no one-size-fits-all approach. Different employees need different types of access at different times – and that means what’s needed is context-based access. Organizations can implement an automation-based identity governance approach that allows for this without it becoming overly burdensome. This brings multiple benefits that strengthen your security profile and serve your users at the same time.
Martin Kuhlmann, vice president of global pre-sales, Omada