Identity sprawl is rapidly growing, yet 67% of organisations don’t know how to address it, says Field Chief Technology Officer Wade Ellery
Field Chief Technology Officer Wade Ellery discusses identity sprawl, IAM, and how organisations can overcome identity sprawl issues and combat budget restraints.
Can you summarise the identity crisis?
In today’s rapidly expanding IT infrastructure, we are experiencing an explosion of unmanaged user information. For many organisations, each individual user doesn’t have a single unique identity. The mass trend of digitisation across industries has led to businesses using multiple different systems and applications within their networks. For example, an organisation might be using HR systems, SaaS applications, Active Directory, LDAP directory services, identity-as-a-service solutions, and much more. These systems or apps are rarely in one place. Some are in the cloud, and some are on-premise and the same user might exist in many of them, with a different identifier and different attributes.
So, an employee likely has to access multiple systems, located in different repositories, often using different devices. This means identity data exists in multiple forms, scattered across multiple repositories. We call this identity sprawl—and that’s where the identity crisis starts.
Organisations are finding it extremely challenging to establish who has access to what resources, thus creating complexity in administering access rights. It’s also creating complexity in terms of effectively provisioning and de-provisioning user accounts when an employee joins, changes departments, or leaves the company.
In fact, the latest research commissioned through Gartner Peer Insights shows that 61% of businesses are finding identity management to be a very time-intensive and costly process, even with a centralised or designated team. The consequence of this complexity is also evident, as 84% of the organisations suffered an identity-related breach last year.
What is IAM?
Identity and Access Management or IAM refer to security tools, processes, and policies that are used to manage user accounts and authenticate access requests. IAM is an overall framework to verify user identities and grant them authorised access to specific applications, systems, and services within an enterprise network.
These solutions help organisations assign different levels of access to each individual user based on their identities and roles. They help to effectively manage the flow of different identities within the network and prevent sensitive data from being accessed by anyone without privileged permissions.
What kind of identity breaches are we seeing?
According to a recent report published by IDSA, phishing was the most common type of identity-related breach organisations experienced last year. Almost 59% of the companies were successfully targeted by phishing or spear phishing, while 36% experienced privilege abuse due to inadequate management of access privileges. Moreover, 33% of the businesses suffered a breach from stolen credentials, and 23% experienced a brute-force attack such as credential stuffing or password spraying.
While there are many underlying factors contributing to these attacks, identity sprawl is often at the root of such incidents. The proliferation of identity data across the enterprise leads to inefficiencies in managing this data.
For example, consider the scenario of a phishing attack. When users have multiple different accounts within a network, it becomes almost impossible for security teams to monitor and manage every single attack. If one of these accounts is compromised through a phishing or brute force attack, chances are that your security teams won’t notice it.
So, threat actors can easily gain access to a particular system or application through phished credentials and use it to compromise different systems across the entire network. Because most of these systems are siloed and don’t communicate with others, the breach might remain undetected until the damage is done.
Furthermore, most organisations are not able to enforce strict identity management practices on an individual level. The research through Gartner Peer Insights showed that 85% of IT/Infosec leaders are concerned about users logging into personal applications with their work credentials. So, this is another crucial factor that drives attacks like phishing and privilege abuse.
Why are tech leaders failing to address identity sprawl within their organisations?
It mostly boils down to budget constraints and the lack of effective investments in identity security tools. Nearly 71% of tech leaders are frustrated about not having enough budget to progress with identity-based projects.
Even with the allocated budget, they are investing in traditional security tools that are not designed to manage the complexity of identity sprawl at a large scale. For example, we see businesses still invest in solutions like single-on, privileged access management, and identity governance. Although these tools are cornerstones of secure identity infrastructures, they don’t provide any function to simplify identity data management
More importantly, these tools can’t break down the silos between different applications and foster cross-functional collaboration. They can only pull identity data from the system or application they are applied on.
For instance, if you’re using a PAM solution on your SaaS application to authenticate users, it will only pull data from the adjacent repositories or databases of that system. So, any other employees that might require access to the platform won’t be authenticated because their access privileges are not defined on the SaaS repository.
These instances not only lead to security issues but also impacts productivity. Employees become constantly frustrated because they can’t access the resources they need–leading to wasted time, reduced productivity, and depleted support.
The increasing time and cost of integration is another reason why leaders constantly fail to address identity sprawl. As new silos of identity continue to appear in organisations, this new data will have to be integrated into all existing identity solutions and services. Sometimes, the existing solutions and infrastructures need to be customised to accommodate successful integration. This is a challenging task that can drag on for months or years, thus significantly increasing cost.
How can organisations overcome the most common negative impacts of identity sprawl?
To effectively overcome identity sprawl, organisations need to create unified profiles of all their users and their associated elements across all sources of identity data. In practice, this requires a mass-scale integration project – including the aggregation of identity data, correlation and linking of user accounts, data transformation, and normalisation.
The primary challenge behind this effort is that all of this identity data is available across different repositories in different formats and schemas. They also have varied protocols and APIs. So, even when you build this global profile, you’ll need to customise the identity infrastructure to synchronise changes and read the data in all available formats. This sort of custom and mass-scale integration project requires a significant investment of time, cost, and other resources, which can strain your security budget and often exhaust the teams.
How can organisations combat ongoing budget restraints?
The answer lies in a transformative and centralised data management approach called an ‘Identity Data Fabric’. It’s a constructive approach to unifying distributed identity data from all sources within an enterprise network – turning identity data into a flexible, resilient, and reusable resource that can be accessed on-demand whenever and wherever needed.
The concept behind this approach is to provide a connective layer between the consumers of identity data and all the silos. The consumers are all the applications, services, IoT devices, IAM, and PAM solutions that require user data to provide access and governance. Identity Data Fabric attains data from all sources, whether they’re interconnected or disjoined, consolidates the data into unique global user profiles, and delivers them to all the consumers in real-time. Because this entire process works at the data layer, no changes or optimisation is required at the application level.
Through this approach, applications now have one reusable service that they can connect to for unified and normalised identity data, on-premise or in the cloud, using the format and protocol of their choice. As a result, applications can effectively delegate the complex identity integration work to the fabric and focus on the core capabilities they were designed for.
Businesses that choose to invest in an Identity Data Fabric may not only better streamline their identity management procedures but also get a tangible ROI. For example, we observed that a major cruise ship company experienced 15% revenue growth after implementing this technology. How? The unified data profiles of customers now allowed the company to generate accurate insights into their preferences – thus driving up their sales.
We also observed that companies using this approach can significantly reduce the time-to-market for new projects by at least 6 months. This is because developers can simply add the data fabric framework on top of existing dev environments, instead of making any changes to the app infrastructure or source codes.
Data Fabrics were listed by Gartner as a top technology trend for 2022. Adapting this same concept for the identity management space can vastly simplify how digital identities are managed and secured within an enterprise network. This transformative approach allows organisations to overcome identity sprawl, without having to incorporate the massive cost and complexity of custom integration projects.
This greatly improves an organisation’s ability to reduce common security risks such as users with excess privileges, or accounts from former employees that have erroneously remained active. It also allows organisations to future-proof their identity management, easily scaling up and accommodating any new elements as the company continues to grow and progress in its digital transformation journey.
Written by Wade Ellery, Field Chief Technology Officer at Radiant Logic
Editor's Recommended Articles
Must Read >> Digital identity laws for better trust in big tech
Must Read >> Digital security means managing user identity