Least Privilege: Reimagining Identity in The Workforce

least privilege

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Chip Hughes of ForgeRock reimagines identity in the workforce, with least privilege and zero trust at the center.

Premium ContentThe shift to hybrid and remote work, along with “The Great Resignation,” has changed the face of the workforce as we know it. Gartner reported that “macroeconomic, organizational and technology changes” for organizations are leading to “disjointed architectural decisions” as businesses onboard and offboard thousands of workers; workforce identity must evolve with the current landscape and cannot be an afterthought.

As talk of a possible recession continues, IT and business leaders face difficult decisions around technology investments. Still, it’s now more critical than ever for security to remain top of mind. Identity investments can help protect enterprises as workforces continue to evolve. If security gets overlooked, doors could open for cyber-criminals to access company data and applications through unauthorized access. With breaches costing $9.5 million in the U.S. alone, enterprises need to stay vigilant in protecting valuable data and maintaining customer trust.

To address these challenges, organizations must better align on the principles of least privilege and Zero Trust and use AI and Machine Learning (ML) to springboard least privilege initiatives and drive broader identity governance success.

Enforcing Least Privilege Should Be at the Top of Your Security List

Roughly 350,000 employees entered the U.S. economy in August 2022. As these employees join new organizations, IT must focus on enforcing least privilege, which gives users the access they need to perform their job. However, maintaining least privilege is a continuous challenge – people change jobs, get promoted, work on special projects, and gain (and lose) responsibilities. Instead of reviewing, granting, and taking away users’ access based on these events, most users only acquire additional access, and inappropriate access is never removed. This leads to high levels of unnecessary access, particularly for employees who have been with a company for many years and across multiple job functions.

Instead of having a good understanding of the access required to do a particular job, organizations often follow a “model me after” paradigm, where a new hire is given the exact same access as their peers with similar titles or at similar levels. The paradigm does not factor in variables of experience across peers, which means that one person could be a long-tenured employee with experience and roles in multiple parts of the organization while another just joined the company. This “model me after” approach immediately creates security risks and can become an access snowball.

Many organizations try to solve over-provisioning challenges by adding processes such as human approvals and access reviews, often making managers part-time security experts, which isn’t a best security practice. Additionally, security reviews are rolled out on a semi-regular basis to address compliance requirements and ensure inappropriate user access is removed. Over time, these processes are ineffective because they are based on human input, and humans can become fatigued, confused, or overwhelmed by the sheer volume of requests. This leaves the door open for hackers to continue to find ways to exploit over-provisioned accounts.

Organizations need to take every opportunity to limit cyber threats. The goal is to alleviate as many tasks as possible from end-users and only require reviews on the riskiest and most anomalous access permissions. To do so successfully, organizations should have corporate-wide alignment on these access policies and use modern tools that leverage AI and ML. AI and ML are very valuable in helping organizations quickly and accurately determine what access should be reviewed by an individual and what access can be automatically granted-– resulting in more effective controls, better least privilege enforcement, and much less work for end-users.

The path forward: Strategically Implement AI to Make Sense of Data

Implementing a least privilege model can be challenging, and organizations often don’t know what steps to take. It can be a complex task. Users have existing access and need to be able to continue performing their day-to-day jobs, but AI and ML can help. Effectively leveraging these technologies can analyze an organization’s environment in a matter of minutes and quickly identify good and bad access. This type of processing would take humans months to years with marginal success. AI and ML gives technologists a much faster path to success and drives better ways to manage user identities, especially in an exceedingly hybrid working world.

Ultimately this type of technology can have a huge organizational impact, freeing employees up to focus on more strategic initiatives. This can also save companies a significant amount of money and reinforce the notion that security reviews should be taken seriously.

Chip Hughes
Follow Chip
Latest posts by Chip Hughes (see all)