informa
Commentary

SSO and MFA Are Only Half Your Identity Governance Strategy

We need better ways to manage user identities for accessing applications, especially given the strain it places on overworked IT and security teams.

In recent years, organizations have started taking authentication much more seriously. While we are still far from where we should be, the good news is we are seeing significant investment in tools that empower workers to be more secure with less hassle.

Single sign-on (SSO) tools like Okta, Microsoft's Azure Active Directory, as well as multifactor authentication (MFA) and even passwordless, have become commonplace. This is especially true in large enterprises, where time spent entering passwords can cost millions of dollars a year.

Related Content:

Failing Toward Zero: Why Your Security Needs to Fail to Get Better

The Changing Face of Threat Intelligence

How Ransomware Defense Is Evolving With Ransomware Attacks

This is the good news, but it tells only half of the identity and access management (IAM) story. As we increase our reliance on applications, we need to think about how to manage all of these new identities created for accessing them — especially given the strain it places on overworked IT and security teams.

The Rise of the Apps
Working in the modern environment means working through applications. Accessing each application requires a new identity. On an individual level, it can be frustrating to have to deal with so many usernames and passwords. But stepping back to think about managing all those identities across an enterprise becomes downright Sisyphean. Studies show that organizations with at least 1,000 employees use more than 200 applications. However, the average enterprise is much bigger than 1,000 employees.

A 2019 Ponemon Institute survey of IT and security professionals looked at organizations with an average headcount around 15,000. Respondents spent an average of 10.9 hours a year (12.6 minutes per week) entering and resetting passwords. At a rate of $32 an hour for the "rank and file" employee, time dealing with passwords cost companies roughly $5.2 million a year.

Recognizing that lowering security standards — and you can't get much lower than the basic password — was not an option, companies looked for ways other than SSO to speed up the process.

SSO, MFA, and even physical tokens like YubiKeys have enjoyed significant market success because they help confirm a person is who they say they are and has permission to access assets. However, these technologies do not help assess who should have access in the first place.

Navigating the Permission Approval Process
Organizations are increasingly aware they need to reduce their attack surface by granting permissions only to those people who require it to do their job — the principle of least privilege.

The challenge becomes significantly greater for IT and security teams because permission management is more than just which employee should have access to what application; it also must tie a specific permission within the application to the specific data required for the task.

There are two permission-management lifecycles that demand IT and security teams' (and often an application owner's) attention and approval:

  1. The Joiner-Mover-Leaver (JML) cycle involves requests to define an employee's permissions when joining the company, moving to a new role, and leaving the organization. These permission requests depend on the employee's organizational function.
  2. Certification-recertification (aka permission request/removal) covers when employees request a specific permission they need for a task or project, not a specific role.

In one example case, a 42,000-employee enterprise takes an average of 13 days and 6.3 hours of staff time to give each new employee access to the applications needed for their job. This shrinks to 0.9 hours for existing employees, but with 5.5 changes per employee on average each year, that time adds up.

This represents an enormous amount of unnecessary time and cost inefficiencies. Especially for tasks that are characteristically rote and not critical.

If it was just a matter of carrying out this process for a small number of employees at a startup, it probably would not be such a big deal. But for companies with over 2,500 employees, it is a very different story. Manual permission management is not an option if you want your IT or security teams to focus on the things that matter most.

Automating Identity and Access Management
The time employees spend waiting for access approval is paid time when they are not working. As mentioned, the time spent by IT staff entering or resetting passwords adds up. It's an unnecessary and costly allocation of resources.

The crux of the problem is not only understanding which roles need access to which application assets but determining what is the right level of access. The faster this can be achieved with less human intervention, the greater the efficiency and cost-saving.

New automated solutions that harness machine learning hold promise to help IT and security teams with smart recommendations about where to direct their efforts. Prioritization is essential when managing thousands or tens of thousands of identities.

Lost in the sea of identities, it is easy for organizations to lose track of which permissions they have granted. This can lead to permission sprawl and unnecessary exposure. However, automated tracking of users, their roles, and the permissions granted to them can dramatically reduce the risk of unused entitlements that attackers can exploit to gain access to valuable assets.

Predicting the Next Stages for Identity Governance Administration
Permission management has a lot of catching up to reach the robustness and adoption of SSO-related tools. In many ways, it is a more difficult lift because it requires more nuanced decision-making than determining if someone is who they say they are. Instead, it requires asking who is authorized to access and execute what.

It will require faster implementation with better APIs and demonstrated value over current options. In the near term, we predict identity governance and administration (IGA) solutions will provide better recommendations on how to manage granting and revoking permissions, speeding up the process significantly. We anticipate that the next step in the IGA evolution will enable us to spend less time waiting for approvals and more on getting work done.

Recommended Reading: