Common Mistakes in Enterprise Identity and Access Management

Identity and access management isn’t new, but it is coming into greater and greater prominence. It is a framework composed of technologies and policies that include multi-factor authentication, single sign-on, password management, device fingerprinting and more. It also encompasses control schemes such as role-based and attribute-based access control.

Through rigorous IAM implementation, members of your workforce can verify their identities in ways that make impersonating them much harder.

In addition, enterprises can use control schemes to prevent malicious insiders from stealing important data. Technologies like single sign-on make it possible to impose these more rigorous controls without overburdening users.

Unfortunately, few, if any, technologies are error-proof. A survey from the 2019 RSA conference shows that many businesses make errors when implementing IAM and privileged access management (PAM). Additional data, however, shows that fixing these errors aren’t at the top of companies’ priority lists.

What are the Most Common IAM Mistakes?

Here are the IAM errors that you should look out for, and address quickly.

1. Decentralized IAM

In some companies, different branches or departments use different IAM applications. This leads to privilege creep, among other things. For example, if an employee moves to a new department, the IAM administrator in the new department doesn’t know if the old department revoked the employee’s access permissions -- and has no way to check. An employee with access permissions from two separate departments exposes the enterprise to greater danger if they choose to act maliciously.

2. Weak Identity Controls

This includes a number of related issues. For example, weak identity controls might mean neglecting to require users to create strong passwords. It might mean forgetting to turn on multi-factor authentication or device fingerprinting.

Weak identity controls frequently persist in organizations where an increased focus on security is thought to get in the way of productivity. You can fix this by implementing powerful, low-friction security. For example, by requiring IAM only when a device fails a fingerprinting check, you’ll gain most of the benefit of both technologies without slowing anyone down.

3. No (Or Few) Access Limitations

Another major problem is the lack of access control schemes. Role-based access control, for example, gives you access only to the files and applications that you need in order to do your job – nothing else. Without these control schemes, any authenticated user can access any object in the network, no matter what they do within your organization. This problem can be common in smaller companies, or in growing organizations that are constantly adding new roles and personnel.

4. “Fire and Forget” IAM Controls

Growing companies constantly change, which means that employees are constantly changing positions – and the nature of these positions can change as well. Companies that don’t update their employees’ access permissions once they change roles will quickly find that their workforce has extremely broad access. This can easily be exploited by attackers – a single stolen credential will be able to unlock a large number of files and applications.

5. Manual Onboarding

“Fire and forget” access controls often go hand in hand with manual onboarding procedures. Imagine that you’re an administrator and you potentially need to grant an employee access to dozens of applications when they join the company. What’s more, you need to manually set them up as a new user on each of these applications. You’d probably do your best never to revisit this process, right?

Manual onboarding processes make mistakes easier. Companies might give new employees too many privileges at the outset or forget to revoke privileges once they leave and move on to new roles. Companies should onboard automatically instead. If an employee needs privileges beyond the scope of those earmarked for their role, companies should consider adding privileges that automatically expire after a specified period.

6. Failing to End Access of Legacy Applications

About 75 percent of companies have SaaS applications that are being paid for, but which are no longer used. In fact, unused applications represent about 30 percent of enterprise software in total. While this oversight definitely represents a waste of money, it’s also a security risk.

Even though an application isn’t being used, it’s probably still part of a workflow somewhere, which means that it’s allowed to view and modify data from other applications. If an attacker finds a login for an unused application, they can see all the data (and modify any of it) that the application is allowed to access.

Implement Strong IAM Controls for Added Security

IAM is at the foundation of an improved security approach, but a poorly implemented IAM solution doesn’t solve much. It’s worth periodically auditing the way that you use IAM in order to understand if you’ve fallen victim to any of the traps above – and it never hurts to keep learning more ways to use IAM better.