Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/5/2021
05:10 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

New Report Reveals Significant Delays Revoking System Access, Impacting Security Risk

Only 34% of organizations report that a typical worker has their system access revoked on the day that they leave, the Identity Defined Security Alliance finds.

DENVER, February 4, 2021 — The Identity Defined Security Alliance (IDSA), a nonprofit that provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies, today released a study on Identity and Access Management which uncovers significant delays in granting and revoking access to corporate systems, impacting operations and introducing risk to the organization. 

According to the study, for the majority of companies (72%) it takes one week or longer for a typical worker to obtain access to required systems. Conversely, it takes half of organizations three days or longer to revoke system access after a worker leaves, creating regulatory compliance issues and the risk of data theft. To make matters worse, for the majority of organizations (83%), remote work and other Covid-19 related factors have made managing access to corporate systems more difficult.

The report, “Identity and Access Management: The Stakeholder Perspective,” is based on an online survey of access stakeholders, human resources, sales managers, and IT help desk professionals, who are impacted by IAM processes and technologies and who interact directly with workers (employee, contractor and vendors) to set up, remove, and resolve access problems. 

Despite agreement from access stakeholders that they have responsibility for security, most (62%) report that they would be hesitant to take action and cut worker access in the face of concerning behavior. Only two in five (38%) reported that they would immediately cut off access for a worker who was accessing systems or data inappropriately, leaving the door open for risk due to an insider threat or compromised credentials. 

In addition, seven in 10 (69%) access stakeholders themselves confess to having personally engaged in sloppy system identity behavior, including using the same username and password for both work and personal accounts, using an unauthorized device for work, or sharing credentials with non-workers. Two-thirds (68%) agreed that even though they care about security, it is more important to get their job done.

Two in five access stakeholders (39%) agreed that system access at their company is “messy” and most (83%) believe that system access can be better. Automation may be one key to improving system access challenges. Less than a quarter (23%) report that they automate enabling access to required corporate systems, while only a third (35%) report automation of revoking access when workers leave.

“These numbers are alarming from a security risk perspective. Failing to revoke system access immediately after a worker leaves an organization and when suspicious access is detected present significant risk,” said Julie Smith, executive director of the IDSA. “The good news for enterprises is that the risks highlighted in the study can be mitigated through enlisting the help of stakeholders, who also want to be a part of the solution, through governance process, automation, and identity-centric security strategies."

Identity Defined Security Alliance Guidance and Resources

The IDSA has defined best practices and identity defined security outcomes that can help organizations address the access challenges highlighted in the research, improving business operations and reducing risk. For IDSA guidance on the specific access challenges raised in the report, visit https://www.idsalliance.org/blog/2021/02/04/new-research-provides-iam-stakeholder-perspective-on-access-challenges/.

The full IDSA library of identity defined security outcomes and approaches, can be accessed here https://securityoutcomes.idsalliance.org/.

To register for the webinar, “IAM Stakeholder Perspective on Access Challenges, Business Operations and Risk,” on March 11, 2021, featuring Diane Hagglund of Dimensional Research and Den Jones, Cisco Director of Enterprise Security, visit

To download the full report, visit https://www.idsalliance.org/identity-and-access-management-the-stakeholder-perspective.

Survey Methodology

Dimensional Research conducted an independent online survey of HR, Sales, and Help Desk professionals in the United States. A total of 313 qualified professionals completed the survey. All participants worked at a company with at least 1,000 employees where a typical employee required access to multiple systems. Survey participants all had direct responsibility for adding or removing access to corporate systems. 

About Dimensional Research

Dimensional Research® provides practical market research to help technology companies make their customers more successful. Our researchers are experts in the people, processes, and technology of corporate IT. We understand how technology organizations operate to meet the needs of their business stakeholders. We partner with our clients to deliver actionable information that reduces risks, increases customer satisfaction, and grows the business. For more information, visit dimensionalresearch.com.

About the Identity Defined Security Alliance
The IDSA is a group of identity and security vendors, solution providers and practitioners that acts as an independent source of thought leadership, expertise and practical guidance on identity centric approaches to security for technology professionals. The IDSA is a nonprofit that facilitates community collaboration to help organizations reduce risk by providing education, best practices, and resources.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8032
PUBLISHED: 2021-02-25
A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. This issue affects: openSUSE Factory cyrus-sasl version 2.1.27-4.2 and prior versions.
CVE-2020-36254
PUBLISHED: 2021-02-25
scp.c in Dropbear before 2020.79 mishandles the filename of . or an empty filename, a related issue to CVE-2018-20685.
CVE-2021-27670
PUBLISHED: 2021-02-25
Appspace 6.2.4 allows SSRF via the api/v1/core/proxy/jsonprequest url parameter.
CVE-2021-27671
PUBLISHED: 2021-02-25
An issue was discovered in the comrak crate before 0.9.1 for Rust. XSS can occur because the protection mechanism for data: and javascript: URIs is case-sensitive, allowing (for example) Data: to be used in an attack.
CVE-2020-9051
PUBLISHED: 2021-02-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.