August 29, 2016 By Andy Taylor 4 min read

“This is Bob from finance. My new employee started today and needs access right away. I can’t believe this hasn’t been done already, but you guys need to get on top of it. Just give him the same access as Alice, and do it now!”

Now, all of us identity and access management (IAM) professionals remember those days when exchanges like the one above were the norm, but frighteningly, this scenario still occurs in many organizations. The “I need it now; don’t you know who this user is?!” attitude of many managers doesn’t help the situation.

Spotting Identity Governance Trouble

Aside from the obvious problem of user frustration with painfully slow and complicated processes, this scenario hides many more consequences that can put organizations at risk. Users may be granted inappropriate access that’s been approved by the wrong people. To top it all off, this access may never be reviewed.

It’s a dangerous combination that has contributed to many high-profile breaches and data loss incidents. Perhaps the most telling sign of this issue is that insiders were responsible for 60 percent of attacks in 2015, according to IBM X-Force data. At the heart of most of these insider attacks are absent, ill-conceived or overly complex access governance processes that give too much access to the wrong people with too little oversight.

Read the white paper: Key steps to securing data and maintaining proper access

So, what are the leading signs of identity governance trouble that can put an organization at risk? Here are our top five in no particular order:

1. Orphaned Accounts

These accounts are typically active long after a user leaves the organization. Accounts can become orphaned if the IAM solution lacks historical details of the user or if the provisioning process is overly complex. In this case, administrators don’t know what accounts to look for and delete.

Organizations don’t know who uses or owns some user accounts. Neither the account naming convention nor the metadata gives any indication of these account owners, yet the accounts can still be used to access sensitive resources. What’s more, even if administrators know what accounts to look for, they may be reluctant to disable or delete them for fear of creating a service incident.

Unless these accounts are identified and managed, unauthorized, fraudulent activities may occur.

2. Poorly Defined Certification Processes

For many organizations, time required to certify instills a sense of dread. The IAM certification process appears too frequently with little warning or notification. Notice is often sent to the incorrect reviewer and contains confusing entitlements only the IT guru understands. The process as a whole may be overly time consuming on management. It generally includes too much to review and may still contain account removals not removed in the previous cycle.

All of these factors combine to make certification a herculean task. Unfortunately, a poorly designed review can have dire consequences. If it leads to a failed audit, it can result in heavy pressure from the auditors and more regular audits. Even worse, poorly defined review processes means user identities and access to valuable resources aren’t secured, leading to risks.

3. Inadequate Access Request Approvals

The access approval process may include inappropriate approvers for requests — for example, persons who have no organizational relationship with the users in the first place. This is followed by individuals who know little about the business function or access acting in the capacity of the approver.

Self-selection of approvers is also a common problem that can lead to requests always being approved by a friendly approver rather than predefined, knowledgeable approvers. There are also instances whereby IT users are requesting business access yet only being approved by IT approvers, or privileged access only being approved by line managers who may not understand security requirements or policies. These scenarios can lead to issues with excessive entitlements being granted, resulting in potential segregation-of-duty (SOD) breaches.

4. Lack of Segregation-of-Duty Controls

Some functions must be segregated to limit the risk of fraudulent behaviors. One common example is financial processing activities, which should be separated to ensure simple activities such as raising and releasing payment on an invoice cannot be done by the same person.

Companies can have difficulty articulating SOD controls, mainly due to a lack of knowledge about their applications and their usage across business functions. There’s also a lack of the right tools needed to analyze their impact or, importantly, to identify and manage them across large datasets.

These process checks are often run manually and are ad hoc in timing — in most cases a long time after the access has been granted and occasionally in reaction to an incident or breach. Successful segregation of duties requires a combination of methods by which these checks can be incorporated into electronic access request processes and breach detection alerts.

5. Independent Processes Across the Organization

Different processes can exist across the business for similar activities, leading to inefficiencies. This is certainly true for global organizations that have multiple access request tools, each with their own localized control requirements.

Some organizations are still raising and duplicating requests manually in cross-business systems that have not been integrated. Others have numerous user administration teams performing similar functions; there may be a team to create the account, a team to add the entitlements, a service desk to issue the password, teams for software drops, etc. These costly and inefficient provisioning processes result in poor user experiences.

Differing risk appetites across the organization can also lead to long delays in access request flows, with additional approvers mandated but often adding little value other than providing a tick in the box for audit purposes. This can delay the request for days or even weeks.

You’re Not Alone

If any of these signs of identity governance trouble ring true, you’re not the only one. Fortunately, the right identity governance and intelligence solution can solve these issues to minimize your security risks and help you systematically achieve and manage your regulatory compliance.

Read the white paper: Key steps to securing data and maintaining proper access

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today