Remember the Hydra, the multi-headed creature from Greek mythology? Warriors attempting to slay the beast faced a seemingly impossible challenge: when they cut off one head, multiple heads re-emerged. Security teams entrusted with Identity and Access Management (IAM) can relate — identity sprawl is their Hydra.
Like the mythical creature, every new cloud-based SaaS application or service produces multiple heads. According to Statista, the average company manages 130 SaaS apps. With potentially hundreds of user accounts and access points per app, it’s easy to see how managing identity sprawl can feel like an unwinnable battle.
There are other complicated factors contributing to identity sprawl, like mass migration to the cloud, remote work and mergers and acquisitions. If left unchecked, identity sprawl can spawn a breeding ground for cyberattacks, with compromised privileged credentials becoming a prime target for malicious actors. The 2024 IBM X-Force Threat Intelligence Index found that abusing valid credentials was tied with phishing attacks as the most common attack method in 2023. It was the first year valid credential exploitation held the top spot in this study.
To better understand and address the problem, let’s dig into the potential problems identity sprawl creates and explore ways security teams can address the issue through the principle of least privilege.
Risks Associated with Identity Sprawl
Before a company can address identity sprawl, it’s necessary to understand how it is impacting the business. Here are the most common consequences organizations encounter when they can’t properly manage identity sprawl.
Expanded Attack Surface
This is the most clear fallout of identity sprawl. As mentioned, many user accounts and access points create a broader attack surface for malicious actors to exploit. Weak passwords or compromised credentials become a gateway to sensitive data and critical systems.
Privilege Escalation
Excessive permissions can result in attackers attaining low-level privileges to exploit vulnerabilities and progressively elevate their access rights. This can allow them to acquire complete control over the system, steal data, install malware or disrupt operations.
Compliance Challenges
Maintaining compliance with myriad industry and national data privacy regulations requires companies to monitor all aspects of their security implementation, including IAM. Satisfying regulations like GDPR or CCPA becomes immensely complex with fragmented identity data and a need for more centralized control over access permissions.
Shadow IT
Unmonitored and unmanaged use of unauthorized applications creates blind spots in IT infrastructure, further increasing the attack surface and introducing additional security risks
Addressing Existing Challenges via Identity Posture Management
The first step in managing identity sprawl is understanding the organization’s shortcomings in identity posture management. This will create a holistic view of the organization’s identity risk profile, allowing security teams to determine actions needed to manage that risk. This examination includes scrutinizing user identities, access controls and authentication methods across a company’s IT systems and applications.
User identities
As we mentioned, many organizations struggle to maintain accurate user identities. Employees are hired, promoted, move to different departments, leave the company, etc., making it critical for organizations to vigilantly update identity statuses.
User access
This stat from Gartner is pretty alarming: 95% of Infrastructure as a Service accounts use less than 3% of entitlements granted. That means almost every square inch of an access-related attack surface doesn’t need to exist. This can include access granted outside of standard operations or over access to sensitive systems that contain Personally Identifiable Information (PII), intellectual property or proprietary financial information.
Authentication methods
One reason for over-access is that the authentication process is often time-consuming, leading many organizations to give overly abundant access to reduce friction. However, there are ways to automate authentication within existing workflows to make requesting and granting access simple and fast.
The right solution can centralize and simplify identity posture management, but taming identity sprawl requires more than technology alone — organizations also need the right approach. As we’ll explore, the principle of least privilege is just such an approach.
Curbing Identity Sprawl Moving Forward with Least Privilege
The principle of least privilege can help security teams address identity sprawl by viewing access through a narrow lens. A 1975 research paper, “The Protection of Information in Computer Systems,” described least privilege like this: “Every program and every user of the system should operate using the least set of privileges necessary to complete the job.” More than 50 years later — in a business environment where every vulnerability represents an access point for cybercriminals — that concept makes more sense than ever.
Many companies have long granted user access on a “just-in-case” basis, where employees have over-privileged access so they can get every asset they need — and many that they’ll never need. Unfortunately, this well-intentioned approach is at odds with least privilege, increasing risk through a wider attack surface.
Instead, enterprises must adopt “just-in-time” (JIT) access that grants user privileges only for the exact duration and scope required to complete a specific task. For example, imagine a financial analyst needing temporary access to modify critical budget figures. With JIT, the analyst would request elevated access, which would be granted for a predefined timeframe and limited to the specific budget application. This approach minimizes the window of vulnerability associated with high-level access.
Let’s dig a little deeper and explore the nuanced access control methods that will dictate how security teams should grant JIT access.
Context-Based Access Control (CBAC)
CBAC injects real-time data points like location, time of day, device type, and user behavior into the access control decision-making process. For instance, a CBAC system might allow a marketing team member to access sensitive customer data only during business hours from a pre-registered device. This granular level of control significantly reduces the attack surface by dynamically adjusting access permissions based on the context of the request.
Role-Based Access Control (RBAC)
Each role is assigned a specific set of permissions that define what resources a user can access and the actions they can perform within those resources. For example, an HR Specialist role might have permission to view and edit employee information in a human resources system but wouldn’t have access to modify financial data. RBAC streamlines access control by managing permissions at the role level, promotes consistency by ensuring everyone within a role has the same access and reduces the risk of human error by eliminating the need to assign permissions to individual users for each resource.
Attribute-Based Access Control (ABAC)
ABAC allows security teams to add a layer of granularity to RBAC by scrutinizing access based on user, resource, environment and action attributes. For example, an ABAC system might grant access to a sensitive report only if the user has the finance manager role and is accessing it from a trusted device during business hours. ABAC policies also restrict whether the user can modify the report or just view it. This approach aligns perfectly with the principle of least privilege by ensuring access is granted based on a comprehensive set of attributes, not just a static role.
Automation is a crucial component that allows security teams to put these access controls to use. For a least privilege approach to be successful, it has to work in real time and incorporate continuous monitoring capabilities. The number of identities across a company’s apps, services and systems is too vast for manual access provisioning and de-provisioning. Further, employee roles and attributes evolve constantly — and especially daunting challenge for enterprises. Automating these processes gives security teams a complete view of the company’s identity landscape and the insight necessary to make risk-prioritized decisions quickly.
In addition to managing least privilege going forward, it’s important to reduce the identity risk that has already built up due to more static and permanent access processes. Companies should be vigilant about checking access and permissions for factors such as unused access, access granted outside of standard operations, and wide swaths of access to systems with sensitive data or mission-critical functions — and focusing first on these areas to convert JIC to JIT, or revoke access until needed.
Battling identity sprawl is an ongoing journey, not a destination. So, it’s critical to adapt your approach to reflect emerging risks continually. However, a least privilege approach to IAM is a timeless counterattack. It will allow security teams to drastically shrink their identity risk footprint and, over time, reduce the Hydra’s headcount to a more manageable number.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
