Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12/16/2020
10:00 AM
Dotan Bar Noy
Dotan Bar Noy
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

SSO and MFA Are Only Half Your Identity Governance Strategy

We need better ways to manage user identities for accessing applications, especially given the strain it places on overworked IT and security teams.

In recent years, organizations have started taking authentication much more seriously. While we are still far from where we should be, the good news is we are seeing significant investment in tools that empower workers to be more secure with less hassle.

Single sign-on (SSO) tools like Okta, Microsoft's Azure Active Directory, as well as multifactor authentication (MFA) and even passwordless, have become commonplace. This is especially true in large enterprises, where time spent entering passwords can cost millions of dollars a year.

Related Content:

Failing Toward Zero: Why Your Security Needs to Fail to Get Better

The Changing Face of Threat Intelligence

How Ransomware Defense Is Evolving With Ransomware Attacks

This is the good news, but it tells only half of the identity and access management (IAM) story. As we increase our reliance on applications, we need to think about how to manage all of these new identities created for accessing them — especially given the strain it places on overworked IT and security teams.

The Rise of the Apps
Working in the modern environment means working through applications. Accessing each application requires a new identity. On an individual level, it can be frustrating to have to deal with so many usernames and passwords. But stepping back to think about managing all those identities across an enterprise becomes downright Sisyphean. Studies show that organizations with at least 1,000 employees use more than 200 applications. However, the average enterprise is much bigger than 1,000 employees.

A 2019 Ponemon Institute survey of IT and security professionals looked at organizations with an average headcount around 15,000. Respondents spent an average of 10.9 hours a year (12.6 minutes per week) entering and resetting passwords. At a rate of $32 an hour for the "rank and file" employee, time dealing with passwords cost companies roughly $5.2 million a year.

Recognizing that lowering security standards — and you can't get much lower than the basic password — was not an option, companies looked for ways other than SSO to speed up the process.

SSO, MFA, and even physical tokens like YubiKeys have enjoyed significant market success because they help confirm a person is who they say they are and has permission to access assets. However, these technologies do not help assess who should have access in the first place.

Navigating the Permission Approval Process
Organizations are increasingly aware they need to reduce their attack surface by granting permissions only to those people who require it to do their job — the principle of least privilege.

The challenge becomes significantly greater for IT and security teams because permission management is more than just which employee should have access to what application; it also must tie a specific permission within the application to the specific data required for the task.

There are two permission-management lifecycles that demand IT and security teams' (and often an application owner's) attention and approval:

  1. The Joiner-Mover-Leaver (JML) cycle involves requests to define an employee's permissions when joining the company, moving to a new role, and leaving the organization. These permission requests depend on the employee's organizational function.
  2. Certification-recertification (aka permission request/removal) covers when employees request a specific permission they need for a task or project, not a specific role.

In one example case, a 42,000-employee enterprise takes an average of 13 days and 6.3 hours of staff time to give each new employee access to the applications needed for their job. This shrinks to 0.9 hours for existing employees, but with 5.5 changes per employee on average each year, that time adds up.

This represents an enormous amount of unnecessary time and cost inefficiencies. Especially for tasks that are characteristically rote and not critical.

If it was just a matter of carrying out this process for a small number of employees at a startup, it probably would not be such a big deal. But for companies with over 2,500 employees, it is a very different story. Manual permission management is not an option if you want your IT or security teams to focus on the things that matter most.

Automating Identity and Access Management
The time employees spend waiting for access approval is paid time when they are not working. As mentioned, the time spent by IT staff entering or resetting passwords adds up. It's an unnecessary and costly allocation of resources.

The crux of the problem is not only understanding which roles need access to which application assets but determining what is the right level of access. The faster this can be achieved with less human intervention, the greater the efficiency and cost-saving.

New automated solutions that harness machine learning hold promise to help IT and security teams with smart recommendations about where to direct their efforts. Prioritization is essential when managing thousands or tens of thousands of identities.

Lost in the sea of identities, it is easy for organizations to lose track of which permissions they have granted. This can lead to permission sprawl and unnecessary exposure. However, automated tracking of users, their roles, and the permissions granted to them can dramatically reduce the risk of unused entitlements that attackers can exploit to gain access to valuable assets.

Predicting the Next Stages for Identity Governance Administration
Permission management has a lot of catching up to reach the robustness and adoption of SSO-related tools. In many ways, it is a more difficult lift because it requires more nuanced decision-making than determining if someone is who they say they are. Instead, it requires asking who is authorized to access and execute what.

It will require faster implementation with better APIs and demonstrated value over current options. In the near term, we predict identity governance and administration (IGA) solutions will provide better recommendations on how to manage granting and revoking permissions, speeding up the process significantly. We anticipate that the next step in the IGA evolution will enable us to spend less time waiting for approvals and more on getting work done.

Dotan Bar Noy serves as Authomize's co-founder and CEO. Prior to co-founding Authomize, Dotan was product management leader of the "Infinity Next" platform at Check Point Software, following the successful acquisition of ForceNock Security, where he served as Co-Founder and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.