Identity Management Isn’t All Authentication. It’s About Permissions Too

Identity Management Isn't All Authentication. It's About Permissions Too

The discourse surrounding identity and access management tends to center on authentication. On the surface, it is easy enough to see why; the majority of attacks begin with compromised or stolen credentials and bypassed authentication. If hackers obtain the means to enter your network through the authentication portal, detecting them and mitigating the damage can take valuable time and resources.

Therefore, most attention is paid to how recognized users enter and exit the enterprise network. Often, this takes the form of multifactor authentication (MFA), which includes biometric authentication, geofencing, and other key capabilities. Additionally, many vendors now boast continuous authentication even after the initial login stage through behavioral biometrics and the like.

However, this discourse around authentication tends to neglect conversations about what your recognized employees can actually do on your network once they log in. What sorts of permissions and privileges does the average user have, and how do they gain those permissions? How do they gain new permissions? Who regulates or rescinds them? 

This conversation isn’t speculative. Instead, it speaks to a problem suffered by enterprises around the world: access creep. 

How Access Creep Works Via Permissions

Take the average user, let’s call her Carol. Carol has average credentials for her role in the enterprise (a challenge in itself, but we’ll come back to that). Suddenly, Carol’s coworker becomes sick, and her boss asks her to take over their activities as well as her own. 

To do this, they give Carol temporary permissions. She does the job fairly well, and eventually, her coworker returns. Except now, the IT team that gave her the permissions is focused on something else, and forget to rescind those temporary permissions. 

Now Carol has de facto permanent access to both her own resources as per her job and those of her coworker. As this cycle repeats over and over again, Carol’s credentials demonstrate access creep, which a savvy hacker can exploit. With greater potential in the business network comes the greater potential for long-term damage inflicted by a threat actor. 

Worse, because the IT team forgot that Carol had these permissions, they may not realize the extent of the damage or even that there is damage until far too late. After all, this activity is “normal” according to the rules of the system. In other words, it won’t trigger an alert. 

Now let’s take the opposite approach: what if Carol becomes hostile to the business. Perhaps she leaves the company disgruntled, and decides to take revenge on the network. Your IT team may have rescinded her original permissions…but do they know about the other permissions she possesses?

This is where identity governance and administration (IGA) steps in. It helps regulate how employees receive permissions and provide critical visibility into each employee’s permissions. Further, IGA can set timers on temporary permissions to ensure that employees can’t accumulate permissions by accident. 

IGA Smooths Out the Onboarding and Offboarding Process

In addition to maintaining control over current permissions, IGA enables your business to maintain control over both future and historical permissions as well. IGA can help your enterprise establish set roles for new employees to slot into when they join. These roles each come with an established and modifiable set of privileges so that employees have exactly what they need to do their job and no more. 

Further, IGA can help remove employees that have left the business entirely, including all of their permissions. This helps prevent the formation of orphaned accounts, which hackers can exploit later. 

You can learn more in our Identity Governance and Administration Buyer’s Guide

 

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner