Bridging the Gap Between Current and Desired States

By   Thomas Müller-Martin
, Omada | Nov 25, 2022 10:08 am PST

Bridging the Gap Between Current and Desired States

Bridging the Gap Between the current and desired states, Security experts, auditors, and IT executives are regularly aware of differences between their desired and actual IT landscapes. As businesses continue to add more applications to their environments, especially in the cloud, misconfigurations and inappropriate. Access rights management are the main contributors to security breaches and failed audits. A recent Varonis analysis found that 44% of cloud user credentials were misconfigured in some fashion.

For many IT leaders, auditors and security practitioners, there’s a gap between what they want their IT landscape to look like and the reality. In the case of identity and access management, this gap is likely due to a combination of lack of transparency and misconfigured access rights. Misconfigurations and improper access rights management are the leading causes of security breaches and failed audits.  That’s particularly worrisome as organizations add more and more applications to their on-premises and cloud environments.

In a recent study, Varonis found that 44% of cloud user privileges are misconfigured in one way or another. A real-life scenario recently played out when Ukrainian government agencies and banks were hit with data-wiping attacks, which led to a major loss of data. Security analysts believe this could only have happened if there was uncontrolled access in Active Directory. An issue that could have been solved by doing recertification more effectively.

Yet, while assigning proper access to the right users for the right resources has never been more necessary. It can seem like a tall order for an organization to get started. But it’s not insurmountable – it begins with a close examination of the situation.


Access Rights – Bridging the Gap Between Current and Desired States

An explosion of access 

It’s all too easy to end up with too many accounts with too many privileges. Maybe an administrator is asked to add a member to an account, and in the essence of speed and efficiency. The admin gives these identities more access rights than they need to do their job.

Businesses today are moving quickly and the level of access a user/identity needs can also rapidly change. It means IT or identity leaders need a way to continuously verify access rights. However, in most situations, access rights are only evaluated and verified once or twice a year. Often prompted by necessity in the form of compliance regulations or an upcoming audit.

The evaluation can be a time-consuming, frustrating and convoluted process. Determining who needs what access or who needs access re-certifications often requires a lot of decision-making without sufficient information to go on. This process could be made easier, in part, by properly describing the purpose of roles and what they need access to and when. Applying a smart risk model increases your ability to govern users with high-risk access and helps sharpen the focus.

Taking back control of access rights 

When it comes to taking control of access rights, everyone is starting at a different place. For some organizations, it might make sense to start over from scratch while other organizations might just need to overhaul a few policies.

Bridging the Gap Between the current and desired states One of the key things to keep in mind about access rights is that it’s never a one-time thing. The world doesn’t stand still, and roles will continue to evolve and change. Another thing to keep in mind is to build a system that you can easily sustain and mature along the way.

Although it should be taken into account as part of the system, policy-based access control is frequently overlooked. As most organizations tend to focus more on the role level. Whereas role-based access control provides user access based on static roles. Policy-based access control determines access privileges dynamically based on rules and policies (such as employee’s department, job role or project membership.)  You can’t prevent people from requesting access, nor should you, but you should look at it like a closed-loop system. Individually assigned access can help improve your role-based model and from there, that will decrease the overall need to request access.

Recertification efforts will start to work well after most access is authorized by policies and roles. Increase your enterprise’s security, as few decisions will need to be made by your employees. It’s much more effective to centrally recertify single policy than having your team recertifying thousands of related access rights continuously.

A modern approach

It’s all too easy to let recertification efforts pile up until you have to do a massive overhaul. A better approach is to break the process up into smaller chunks throughout the year. The first step is to gather all the data about access from the HR system and other sources. It also lets security teams compare the actual state with the desired state of access rights and resource assignments.

This not only makes identity and access data (and historical data) available so IT auditors can verify changes, but it also enables teams to act when there are discrepancies. Teams can apply policies and workflows to make changes using and maintaining full control over the entire identity lifecycle from the day an identity joins the organization until it leaves.

A modern access governance solution and IGA program generate detailed reporting that gives an overview and analytics to make everything is working properly. Security teams follow up policies like Segregation of Duties to detect combinations of access rights that certain users shouldn’t have.

In order to avoid burdening teams with manual work, this procedure should ideally take place in real time. Work that can be repetitive and time-consuming – and lead to errors. Provisioning is the process of ensuring that changes made using policies are implemented simultaneously in the target systems.. Once changes are made in the target system, the data set is then imported. Again to compare and reconcile the new, actual state ensuring you apply all changes.

Getting access rights right

Bridging Gap Between current and desired states Enforcing need-to-know principle for access is essential to protecting your enterprise. Especially as new cyber threats emerge that are specifically using unmanaged access to initiate attacks. Access rights have always been hard to govern, and today’s hybrid work environment only makes it harder. Fortunately, by using the processes noted above and a modern access management solution, the situation becomes much more manageable. If you win the identity governance game, your identity-first security strategy will be in a good position to handle other issues.