While the “Identity” part of Identity and Access Management is looking better than it used to, the “Access Management” part is still very much a wild-west landscape. Identity has benefited from robust multi-factor authentication, anomaly detection and password management solutions. Access Management on the other hand, is still largely something that keeps many CISOs up at night. This is true in spite of the growing adoption of Role Based Access Control (RBAC) and more recently, Attribute Based Access Control (ABAC).
The Brave New World of Zero-Trust
In the zero-trust model, access to enterprise data is determined firstly by a user’s access posture. The access posture always includes the user’s identity and sometimes includes device properties and other environmental factors such as IP address or time of access. Once a user’s access posture is found to be acceptable, the range of their actions is then determined by the privileges they maintain.
Thus the only way to prevent compromise from authenticated users is to ensure that privileges are limited to the user’s business function. However restricting user privileges too much may disrupt normal or exceptional business activity if the granted privileges are not sufficient. As a result, enterprises typically end up operating in an environment where users have more privileges than required to perform their jobs.
Disguise Drives Distress
Such lax permissions cause impersonating users to be a popular means of attacking enterprises. They also provide incentives for insiders to exploit their access privileges in ways that may not reflect business priorities, or are in fact damaging to the business. Compromises by attackers successfully impersonating employees or malicious insider activity are therefore increasingly commonplace, causing enterprises enormous financial losses and reputational damage.
Common Causes of Permissions Sprawl
Product features and de-facto business practices all contribute to “permissions sprawl” across the enterprise. Typical gotchas include:
- Named Permissions: A named user is given a privilege regardless of their role or responsibility within the organization
- Role Skew: Role-based access control is used but the roles are dissociated from users’ responsibilities within the organization. In addition, roles may not be stored in a single system. Sometimes applications may define their own roles, or there may be multiple role management systems. All this makes it hard for dynamic organizations to manage roles
- Broken Glass: Urgent business matters or emergencies may cause managers to approve exceptional permissions to users or roles, in order to get over immediate hurdles. These permissions are rarely reviewed or revoked later
- Rule of Least Resistance: Among several policy rules through which a resource may be accessed, a weak rule becomes the “least-effort” way of legitimately gaining access. This then becomes the norm for any user to obtain access for legitimate purposes, in turn making it difficult to turn off this rule
- Policy Thicket: Non-intuitive user interfaces can hide potentially damaging and weak access policies. A complex and fragmented UI can make it hard for administrators to reason about their existing policies. It can also increase reluctance to change existing policies even if they are suboptimal. This is because reasoning about rules in such a system is more complex, causing administrators to be fearful of accidentally breaking something while making changes
- Application Wonderland: Applications define privileges that do not map easily to business operations. This makes it hard to determine who should be granted access, and even harder to audit why a specific user or role has access
SGNL to the Rescue
As we innovate to simplify enterprise authorization, we have the above pain points front and center in our minds. We would love to hear your thoughts on how authorization may be improved and what you think contributes to the problem in your enterprise.