Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:00 AM
Dotan Bar Noy
Dotan Bar Noy
Connect Directly
E-Mail vvv

SSO and MFA Are Only Half Your Identity Governance Strategy

We need better ways to manage user identities for accessing applications, especially given the strain it places on overworked IT and security teams.

In recent years, organizations have started taking authentication much more seriously. While we are still far from where we should be, the good news is we are seeing significant investment in tools that empower workers to be more secure with less hassle.

Single sign-on (SSO) tools like Okta, Microsoft's Azure Active Directory, as well as multifactor authentication (MFA) and even passwordless, have become commonplace. This is especially true in large enterprises, where time spent entering passwords can cost millions of dollars a year.

Related Content:

Failing Toward Zero: Why Your Security Needs to Fail to Get Better

The Changing Face of Threat Intelligence

How Ransomware Defense Is Evolving With Ransomware Attacks

This is the good news, but it tells only half of the identity and access management (IAM) story. As we increase our reliance on applications, we need to think about how to manage all of these new identities created for accessing them — especially given the strain it places on overworked IT and security teams.

The Rise of the Apps
Working in the modern environment means working through applications. Accessing each application requires a new identity. On an individual level, it can be frustrating to have to deal with so many usernames and passwords. But stepping back to think about managing all those identities across an enterprise becomes downright Sisyphean. Studies show that organizations with at least 1,000 employees use more than 200 applications. However, the average enterprise is much bigger than 1,000 employees.

A 2019 Ponemon Institute survey of IT and security professionals looked at organizations with an average headcount around 15,000. Respondents spent an average of 10.9 hours a year (12.6 minutes per week) entering and resetting passwords. At a rate of $32 an hour for the "rank and file" employee, time dealing with passwords cost companies roughly $5.2 million a year.

Recognizing that lowering security standards — and you can't get much lower than the basic password — was not an option, companies looked for ways other than SSO to speed up the process.

SSO, MFA, and even physical tokens like YubiKeys have enjoyed significant market success because they help confirm a person is who they say they are and has permission to access assets. However, these technologies do not help assess who should have access in the first place.

Navigating the Permission Approval Process
Organizations are increasingly aware they need to reduce their attack surface by granting permissions only to those people who require it to do their job — the principle of least privilege.

The challenge becomes significantly greater for IT and security teams because permission management is more than just which employee should have access to what application; it also must tie a specific permission within the application to the specific data required for the task.

There are two permission-management lifecycles that demand IT and security teams' (and often an application owner's) attention and approval:

  1. The Joiner-Mover-Leaver (JML) cycle involves requests to define an employee's permissions when joining the company, moving to a new role, and leaving the organization. These permission requests depend on the employee's organizational function.
  2. Certification-recertification (aka permission request/removal) covers when employees request a specific permission they need for a task or project, not a specific role.

In one example case, a 42,000-employee enterprise takes an average of 13 days and 6.3 hours of staff time to give each new employee access to the applications needed for their job. This shrinks to 0.9 hours for existing employees, but with 5.5 changes per employee on average each year, that time adds up.

This represents an enormous amount of unnecessary time and cost inefficiencies. Especially for tasks that are characteristically rote and not critical.

If it was just a matter of carrying out this process for a small number of employees at a startup, it probably would not be such a big deal. But for companies with over 2,500 employees, it is a very different story. Manual permission management is not an option if you want your IT or security teams to focus on the things that matter most.

Automating Identity and Access Management
The time employees spend waiting for access approval is paid time when they are not working. As mentioned, the time spent by IT staff entering or resetting passwords adds up. It's an unnecessary and costly allocation of resources.

The crux of the problem is not only understanding which roles need access to which application assets but determining what is the right level of access. The faster this can be achieved with less human intervention, the greater the efficiency and cost-saving.

New automated solutions that harness machine learning hold promise to help IT and security teams with smart recommendations about where to direct their efforts. Prioritization is essential when managing thousands or tens of thousands of identities.

Lost in the sea of identities, it is easy for organizations to lose track of which permissions they have granted. This can lead to permission sprawl and unnecessary exposure. However, automated tracking of users, their roles, and the permissions granted to them can dramatically reduce the risk of unused entitlements that attackers can exploit to gain access to valuable assets.

Predicting the Next Stages for Identity Governance Administration
Permission management has a lot of catching up to reach the robustness and adoption of SSO-related tools. In many ways, it is a more difficult lift because it requires more nuanced decision-making than determining if someone is who they say they are. Instead, it requires asking who is authorized to access and execute what.

It will require faster implementation with better APIs and demonstrated value over current options. In the near term, we predict identity governance and administration (IGA) solutions will provide better recommendations on how to manage granting and revoking permissions, speeding up the process significantly. We anticipate that the next step in the IGA evolution will enable us to spend less time waiting for approvals and more on getting work done.

Dotan Bar Noy serves as Authomize's co-founder and CEO. Prior to co-founding Authomize, Dotan was product management leader of the "Infinity Next" platform at Check Point Software, following the successful acquisition of ForceNock Security, where he served as Co-Founder and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...