Mobile and Cloud have raised the stakes for security in general and for identity-related security challenges in particular. But while identity-related risk has grown tremendously, in many ways, the risks themselves are ones we’ve long recognized – such as orphaned accounts, segregation of duties (SoD) violations and privileges following users to new roles, among others.
What’s different in this new environment, where there are more users and kinds of user identities than ever, is that those familiar risks have evolved to become much bigger and more difficult to manage. To address them successfully, we need different strategies for the new ways in which they impact organizations.
Here’s a look at some of the main areas where identity risk is causing organizations pain and the strategies to address the risk.
More Users, More Places, More Problems
Today’s identity landscape has more users in more places – on-premises, on mobile devices and in the Cloud – and they’re constantly joining, moving or leaving accounts, applications, file shares and portals. They can generate millions of entitlements, making it a real struggle to manage their identity and access information. Identity risk factors such as orphaned accounts, shared accounts, unauthorized changes, identity movement, separation-of-duty issues, out-of-role access and overprovisioning pose potential problems on a scale that was once unimaginable.
Fear of Audit Failure
Given that 81% of data breaches today involve compromised identities, it should come as no surprise that auditors are scrutinizing access certifications more zealously than ever. And more organizations are failing audits under this deep scrutiny – which can lead to even more scrutiny. Governance processes that have proved adequate in the past may no longer be sufficient to cover the increasing scope of audits.
So Many Entitlements, So Little Time
Shaken by growing numbers of orphaned accounts, overprovisioned users and other problems, many organizations are putting a renewed focus on identity governance – and that’s putting a heavy burden on business managers. They’re increasingly being asked to fill out complex reports to verify appropriate application access, without being given much context for access decisions. Sometimes, doing the best with what they’ve got means rubber-stamping verifications – which can make security vulnerabilities even worse.
Strategies to Address Identity Risk
The situation may sound bleak, but we’ve identified several strategies to help take the anxiety out of mitigating identity risk today:
- Enable risk-aware, context-driven governance by integrating risk management and access management in identity governance and lifecycle processes – instead of managing them as separate issues.
- Surface meaningful information for decisions by organizing activities by risk, priority and context, which can help reduce certification fatigue for business managers.
- Discover outliers and inappropriate access by using a risk-based approach to quickly identify outlying access requests, flag them and prioritize them for remediation.
- Automate processes so that in addition to providing secure access, you can fulfill it efficiently and effectively.
Author: Tim Norris
Category: RSA Fundamentals, Blog Post
Keywords: RSA SecurID, Identity Best Practices, Identity Lifecycle Management, Identity Governance and Access, Credentials