While the “Identity” part of Identity and Access Management is looking better than it used to, the “Access Management” part is still very much a wild-west landscape. Identity has benefited from robust multi-factor authentication, anomaly detection and password management solutions. Access Management on the other hand, is still largely something that keeps many CISOs up at night. This is true in spite of the growing adoption of Role Based Access Control (RBAC) and more recently, Attribute Based Access Control (ABAC).
While the “Identity” part of Identity and Access Management is looking better than it used to, the “Access Management” part is still very much a wild-west landscape. Identity has benefited from robust multi-factor authentication, anomaly detection and password management solutions. Access Management on the other hand, is still largely something that keeps many CISOs up at night. This is true in spite of the growing adoption of Role Based Access Control (RBAC) and more recently, Attribute Based Access Control (ABAC).
In the zero-trust model, access to enterprise data is determined firstly by a user’s access posture. The access posture always includes the user’s identity and sometimes includes device properties and other environmental factors such as IP address or time of access. Once a user’s access posture is found to be acceptable, the range of their actions is then determined by the privileges they maintain.
Thus the only way to prevent compromise from authenticated users is to ensure that privileges are limited to the user’s business function. However restricting user privileges too much may disrupt normal or exceptional business activity if the granted privileges are not sufficient. As a result, enterprises typically end up operating in an environment where users have more privileges than required to perform their jobs.
Such lax permissions cause impersonating users to be a popular means of attacking enterprises. They also provide incentives for insiders to exploit their access privileges in ways that may not reflect business priorities, or are in fact damaging to the business. Compromises by attackers successfully impersonating employees or malicious insider activity are therefore increasingly commonplace, causing enterprises enormous financial losses and reputational damage.
Product features and de-facto business practices all contribute to “permissions sprawl” across the enterprise. Typical gotchas include:
As we innovate to simplify enterprise authorization, we have the above pain points front and center in our minds. We would love to hear your thoughts on how authorization may be improved and what you think contributes to the problem in your enterprise.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.