What happens when employees have access to data, apps or services that they shouldn’t? Best case scenario: they might know the salaries of all their colleagues and company execs. Worst case scenario: malicious actors exploit that access and extract sensitive business data, causing millions of dollars in damage and irreparable harm to brand reputation.
In past blogs, I wrote how security starts with protecting users and that by verifying the user we greatly reduce the attack surface from “all humans” to just those you actually trust (aka your employees). I also wrote that we want to make sure every device is being used in a secure manner. In other words, by validating every device, we reduce the attack surface even more by limiting the devices that gain access from billions of computers, phones, or tablets to just the select few in the user’s possession.
Verifying users and validating devices represent steps one and two on the road to Zero Trust. But while this combination drastically improves security posture, more layers are necessary to guarantee risks of fraudulent access are no more. Just because a person is who they say they are — and are using a trusted device — doesn’t mean that they should have broad access rights beyond what they need to do their job. Whether by accident or malicious intent, insiders can still misuse their access — or share access with people whom they shouldn’t.
To stop this from happening, you need to vastly reduce the risk associated with the access rights each user has. We do this by limiting user access (even to verified users and validated devices) to only those apps and resources that they need to do their job, and to only when they specifically need to do it. This is step number three that completes the trinity of a Zero Trust security approach: “Verify every user, validate their devices, and intelligently limit their access.”
“One day it’s fine, the next it’s black.” (The accumulation of access creates huge dangers.)
Companies typically grant access to necessary apps and resources as they onboard employees. When an employee moves on, either up the ranks or out the door, we tend to forget about those original grants. We’re all guilty of this. For example, I’m now head of marketing at Idaptive, so I shouldn’t have access to our product source code the same way I did back when I was a product manager. The accumulation of access to data, apps, and services creates serious risks. Instead, we must tailor that access to just what a person needs for the job they perform today — and automatically remove that access when they leave.
That’s easier said than done for IT teams (and sometimes HR) who historically had to manually provision and deprovision users — or at least manually write the rules for role-based access control programs. Someone had to tell IT that an employee’s role had changed, and then IT would have to figure out how that relates to the access that they should or shouldn’t have. We often refer to this process as “lifecycle management,” and provisioning is just one piece of this mammoth responsibility that enterprise teams are tasked with managing.
The role of lifecycle management in the Zero Trust model is critically important because it determines who has which rights on which systems and applications. You can ensure that a user only has access to what he needs to do his job, create reliable reports, and audit those rights at any given time.
IT staff knows that accounts are difficult to manage because:
- Employees are often given more access than they need.
- Access frequently follows them through the course of their tenure at an organization.
- They amass more and more rights over time — even as their positions and roles change.
- Unused accounts and accounts for employees and other users who no longer need them also tend to stay around longer than they should.
Some form of automation and automatic deprovisioning is required. Combining self-service, workflow, and provisioning automation can ensure that users only receive the access they need, help them be productive quickly, and automatically remove their access as their roles change or when they leave the company.
Even if you don’t have hands-on experience with lifecycle management, it’s not hard to see how this spreadsheet-style or “swivel chair” provisioning access can snowball into something both time-consuming and error-prone — leading to an accumulation of access over time. And when employees have access to things they shouldn’t, attackers know that a simple phishing attempt is all it takes to gain insider access and wreak havoc on business systems.
“You Gotta Let Me Know.” (Provisioning and Lifecycle Management enhances visibility and control.)
If you’re saying right now “there has to be a secure, more efficient and maybe even automated way to do this,” you’d be right. The answer lies within a Zero Trust approach powered by Next-Gen Access identity technology.
With Provisioning and Lifecycle Management you can enable users to request access to applications from the app catalog of pre-integrated applications, provide specific users the ability to approve or reject these access requests, and automatically create, update, and deactivate accounts based on roles in your user directory. Provisioning enables users to be productive on day one with the appropriate access, authorization, and client configuration across their devices.
Lifecycle Management should also seamlessly import identities from your preferred HR system or application, including Workday, UltiPro, BambooHR, or SuccessFactors, and provision them (typically) to Active Directory. This enables you to unify your provisioning and HR workflows and have an HR-driven primary system of record for user data across all your applications.
By way of example, with Active Directory (AD) synchronization for Microsoft Office 365, you can keep your AD accounts and Office 365 accounts in sync and automatically provision and deprovision user accounts, groups, and group memberships to simplify Office 365 license management.
Lifecycle Management not only can save IT teams a great deal of time and frustration, but it can ultimately save companies from crippling data breaches. Such is the power of intelligently limiting access as part of a Zero Trust framework.
Read the Zero Trust series here:
Zero Trust Series – 1 What Is Zero Trust and Why Is it So Important?
Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”
Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle
Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.
Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust
Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security
Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.
Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.
Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model