Does overprivileged access keep you up at night? With 80% of cyber attacks involving compromised identity, it’s hard not to worry. Strengthening access controls has become a top-of-mind initiative for organizations that want to protect their own and their customers’ data. But growing SaaS sprawl, complex hybrid environments, and shadow IT usage are just some of the factors that make managing access a challenge for IT and security teams.
No two identity-related breaches are the same; each incident is the result of a specific combination of exploited identity and system vulnerabilities. Some companies operate hybrid environments that still leverage legacy technology, others have inherited employees and infrastructure from a merger that have been awkwardly integrated into existing systems. Among fast-growing, cloud-forward companies, there’s a tendency to quickly throw together infrastructure and adopt apps as needed, leading to unchecked SaaS sprawl. Each organization is different and, as such, has different identity-related issues that increase the risk of breaches.
These factors make it feel as though no available solution or piece of software can fully solve the identity security challenges that exist within your company. And this may be partially true. The specifics of your environment need to be accounted for when searching for a solution. However, the reality is, though specifics vary, your problems aren’t unique—everyone’s struggling to address the same general identity security challenges. Establishing a few foundational practices can help any team achieve better security outcomes.
Balancing security and efficiency
While the number and types of systems and identities you’re trying to secure are particular to your organization, companies that are most subject to identity breaches tend to have one commonality: immature or broken processes that don’t create a sustainable balance between security and efficiency.
Businesses want to realize value quickly, and it can be a challenge to manage access securely without impacting productivity. However, there is an opportunity cost associated with trading safe practices for faster momentum. Solving for this is tricky—backlogged ticketing processes and multi-step approvals can slow down provisioning and block the access workers need to do their jobs, potentially causing them to circle around IT and leverage shadow apps. On the other hand, giving employees blanket access to high-risk entitlements is a recipe for disaster.
Achieving the right balance isn’t an overnight task but an ongoing process that requires setting up a strong foundation upon which you can add more advanced processes, making your security posture proactive rather than reactive in dealing with identity-based threats.
Setting the foundation
With mitigating overprivilege and moving toward zero standing privileges as your end goal, a crucial first step involves identifying your most sensitive systems and understanding who has access to what. Where are you struggling to secure access to these systems? Is it managing your 80 different accounts in AWS? Or maybe it’s making sure that when Bob in SRE needs temporary admin access for a project, that access gets revoked promptly afterward. Honing in on the gaps in your current processes will allow you to create a plan for addressing them.
Having found your areas of desired improvement, a good next step is moving what privileges you can to just-in-time (JIT) access. Move as you’re comfortable. Start by migrating your most critical and sensitive resources to JIT access, and then over time you can begin enforcing JIT access for additional parts of your environment.
Adopting JIT access might require some work on your part to set up initially, but the ROI is realized almost immediately—through a decreased attack surface area and better records about who had access to what at any given time. Reducing the amount of permanent access by extension also reduces the amount of access data you have to audit when running access reviews, freeing up developer resources for higher priority projects while also allowing you to run more frequent and accurate reviews.
Building on the foundation
Now that you’ve cleaned up problem areas and implemented JIT access for sensitive privileges, you have a more secure foundation on top of which to start layering some advanced access controls and workflows.
Each system in your environment and the data it stores are unique, and they should be treated as such. You might want to require manager approval to some resources, while other approvals can be team based, and some low-risk entitlements might even warrant self-approval. Set up and, as much as possible, automate the approval policies that work best for your workforce and environment.
You can also define and implement workflows for requesting and provisioning emergency access, allowing teams to move efficiently while ensuring break-glass access to high-risk systems is ephemeral. Tie conditional JIT access approval policies to on-call rotations to ensure engineers get the emergency access they need as soon as they need it. Because you’ve already implemented JIT access processes generally, they can be easily extended to special use cases.
Winning the battle against overprivilege
It’s critical that today’s companies employ a proactive rather than reactive approach to identity security by taking measures to reduce excessive privileges. Implementing JIT access can serve as a foundational step to creating a more secure environment and processes that also free up resources, improve efficiency, and automate away a lot of manual effort and potential errors.
Companies are unique by nature. Org structure, tech stacks, and employee counts—these are all up to the discretion of business owners and leaders. However, the set of identity security challenges you face may be less unique than you think. Everyone can benefit from general, foundational practices of consistent risk assessment and strategic JIT implementation. Ultimately, each company might be playing a different sport, but hitting the gym benefits everybody.
To learn how ConductorOne can help you automate JIT access and improve access controls across your unique environment, chat with us.