The security risk of fragmented identities: dealing with the dangers of identity sprawl

Published: Wednesday, 23 June 2021 07:56

Kamel Heus explores the concept of identity sprawl, the risks associated with it, and suggests five best practices which organizations can implement to help ensure a robust identity consolidation strategy.

The events of the last 18 months have driven enterprises large and small, in every industry sector, to hit the fast forward button where digitalisation is concerned. As a consequence, securing critical applications and infrastructure is becoming a much more complicated proposition.

Increased reliance on applications, wordloads, and services hosted in the cloud means securing the enterprise’s rapidly evolving hybrid- and multi-cloud architectures in a coherent way is now a top priority. This is no easy task when human and machine identities are proliferating, thanks to the growing volume of microservices, workloads, and DevOps activities.

Ultimately, securely leveraging the benefits of the cloud and successfully growing out cloud ecosystems requires a rethink when it comes to managing digital identities and access. That means dealing with the frustrating and risky problem that confronts growing organizations with diverse systems and platforms: identity sprawl.

The problem with identity sprawl

When a user’s identity is managed by multiple isolated systems or directories that are out of sync with one another, the resulting multiple identities create a potential unsecured attack surface that attackers can target.

‘Identity sprawl’ typically results when an application or system is not, or cannot be, integrated with an organization’s central directory service. This results in the creation of another set of user identities that have to be managed separately to support access to that application or system. 

The increased administrative overheads and costs associated with managing all these fragmented identities is just the starting point of the challenge. Alongside making it much more difficult to enforce consistent security and compliance policies, identity sprawl also creates a risk that users will reuse their passwords for different services, leaving the enterprise more vulnerable to credential spying.

Privileged user accounts in particular represent a primary target for external attackers looking to compromise corporate data and systems. Having gained control of a privileged account, cybercriminals can operate undetected, potentially for months, under the guise of a trusted user. Using this access, they are then free to steal confidential data, subvert business processes, or launch a ransomware attack. Last year, over 50 percent of US organizations reported grappling with the impact resulting from the theft of privileged credentials.

To reduce the risk of misuse by malicious insiders or external threat actors, organizations will need to adopt a comprehensive approach to privileged access management (PAM), utilising identity consolidation and zero-trust principles to protect users and the enterprise’s assets.

Here are five definitive best practices that can help underpin and enforce a least privileged identity strategy that is the key to reducing the enterprise’s attack surfaces and preventing breaches from occurring.

Centralising identities

Centralising all identities on an identity directory will create a single source of trust that both simplifies the administration of access control, authentication and authorisation for all users and groups, and ensures a consistent approach to privilege security.

Featuring the inherent flexibility that is critical for today’s complex enterprise environments, leading PAM solutions now make it easy for organizations to utilise the identity directory that works best for their needs (Active Directory, Okta, Ping and so forth). Indeed, by connecting UNIX and Linux systems to Active Directory using AD Bridging and providing the consolidation capabilities for IaaS environments that is key for cloud transformation, today’s modern PAM solutions offer multi-directory brokering capabilities that ensure privileged users can be authenticated against any user directory.

In other words, centralising identity management and minimising identity sprawl is the critical first step that will enable security teams to stay on top of privileged account access management risks in an ever changing environment.

Binding privileges to identities

Having achieved a unified view of all identities that binds all entitlements, permissions, and privileges to an organization’s preferred directory will further simplify the enforcement of consistent security and compliance policies.

These permissions may allow an individual to perform functions, access data, or administer systems and ideally should be associated with a method of authentication that is most appropriate to the sensitivity or privilege of a user’s access, and the trustworthiness of the devices or locations they will be using and working from. Unlike using shared accounts, binding a user to an identity also ties individual accountability to each identity.

Federated SSO access

For a seamless user experience, enabling federated single sign on (SSO) access to resources from the preferred directory will ensure employees can simply log on as themselves and always receive appropriate permissions. Replacing passwords with secure tokens, federated SSO also gives the enterprise greater control over who has access to what, without disrupting workflows or employee productivity. Users authenticate once, using this authenticated session to access all the applications they are authorised to use.

Just-in-time access

Privileged accounts represent a serious threat to organizations should these fall into the hands of an attacker. By temporarily granting users additional roles and privileges to complete a task that matches their job function, for the exact amount of time it takes to complete the job, organizations can adopt a least privilege approach and enforce granular access controls. So, while it may be legitimate to allow a Web administrator access to systems running Web servers and related management tools, logging into machines that process credit card transactions is not legitimate and remains blocked.

Zero standing privileges

Having implemented a just-in-time elevation of privileges to accomplish a task, organizations need to ensure access is revoked once the task in hand is completed. For example, an employee may only access a particular service during business hours, or for a specific period of time. Once the session is over, access rights are withdrawn, which closes the window of opportunity for potential attackers if a user’s account has been compromised. Utilising today’s modern PAM solutions, access can easily be regranted if required.

Reducing cyber risk by curbing identity sprawl

The growing complexity of enterprise infrastructures means organizations should adopt a ‘never trust, always verify, enforce least privilege access control’ approach to protecting their sensitive resources and data. 

Achieving comprehensive controls over who has access to what resources, at what times, why, and for how long, begins with curbing identity sprawl and identity consolidation. After which, organizations will be in a stronger position to maintain centralised control and governance over identities and access privileges.

Initiating a comprehensive PAM strategy based on zero-trust principles is the key to reducing the risk of misuse by malicious insiders or external threat actors. Ensuring that only authorised people, machines, or services access the right resources, at the right time, and for the right reasons can condense the organization’s attack surface, while ensuring the productivity of users is optimised.

The author

Kamel Heus is VP EMEA at ThycoticCentrify.