Least privilege demands that identity goes beyond IAM teams to app, data & security teams
In today’s digital landscape, identity has evolved from being a narrowly defined IT problem into a critical, organization-wide priority for cybersecurity teams. Historically, managing identity was a challenge handled predominantly by the IT department, which was tasked with granting and revoking access to systems, applications, and data. However, in an era defined by ever-expanding cloud environments, remote work, and increasingly sophisticated cyber threats, solving access challenges and achieving least privilege is no longer just an IT concern. It requires collaboration from multiple teams (app teams, data teams, cloud engineering teams, IT teams, etc.) across the enterprise.
At Veza, we are empowering organizations to strive for least privilege beyond the traditional scope of IAM; teams across Security operations (SecOps), application owners, data owners, cloud engineering teams, governance and audit teams now all work together to tame the “wild west” of access. There is no other way to address the challenge of attaining least privilege - we must bring every team on the journey.
As organizations grow and privilege sprawl increases, access to critical resources becomes harder to manage, increasing the risk of improper access that could lead to security breaches. With 2024 seeing the first billion dollar breach, it’s never been more important to get a definitive handle on access. The solution? Organizations need to achieve and maintain least privilege, giving them the power to confidently answer the question: “Who can take what action on what data?”
This question, once simple in scope during the days on-prem, now sits at the heart of a broader, organization-wide mission to reduce risk, improve operational efficiency, and ensure compliance. Various teams play key roles in tackling access management and their collaboration is essential to achieving least privilege.
Identity Security: A Joint Effort
There are many different quadrants, acronyms and categories applied to the “access problem,” but we believe “identity security” is the proper terminology for this expanding discipline since it encompasses the philosophies for securing all identities, human and non-human alike, during every phase of the access lifecycle, including audit, governance and compliance. By definition, therefore, identity security is an incredibly complex, layered process that involves multiple departments, each with distinct but interconnected responsibilities.
Security Operations: The Gatekeepers of Reducing Risk
SecOps teams sit at the frontlines of incidents, charged with protecting the organization’s most sensitive assets. Their primary focus is on reducing identity related risks and preventing permission sprawl—where users accumulate excessive, dormant, and/or unnecessary permissions over time. Left unchecked, permission sprawl increases, the attack surface widens and an organization can be exposed to potential security incidents.
To address these challenges, SecOps teams engage in privileged access monitoring, ensuring that users with elevated privileges are only granted the minimum access necessary to perform their jobs. This is essential for preventing myriad attack vectors including insider threats, as well as external attackers who might seek to exploit privileged accounts. Privileged access is not the only access that can be exploited, however. With the increased adoption to the cloud and explosion of non-human identities (NHIs) - which now outnumber human identities 17 to 1 - all access is a potential attack vector, even those associated with machine and service accounts. Therefore SecOps alone cannot solve the access challenge. Their efforts must be reinforced by IAM teams and app and data owners who help monitor and manage permissions across the enterprise.
App Owners, Data Owners: Custodians of Access Lifecycle
IAM teams play a critical role in managing the access lifecycle of employees—from the moment they join the company to the day they leave. This process is often referred to as the Joiners, Movers, and Leavers (JML) lifecycle. Users should be granted an appropriate level of access when they join the company, have their access adjusted when they change roles or departments, and promptly lose access when they leave the organization. This same discipline should also be applied to the aforementioned NHIs when new integrations are connected or applications are acquired or discarded.
One of the biggest challenges for IAM teams is paying down the organization’s “access debt.” Similar to the commonly used term, “tech debt,” access debt is the accumulation of permissions by users who no longer need them. This occurs naturally in an organization—access is never cleaned up with the same urgency it is requested. Given that the speed of access hasn’t traditionally matched the speed of business, IAM teams have traditionally been positioned as naysayers to growth. However, in today’s modern environment, there is no longer room for this outdated stereotype. IAM teams must collaborate with app and data owners to share joint responsibility for determining who should receive access to what and for how long.
Together, these teams must continuously review and revoke outdated access rights to maintain the principle of least privilege.
Governance and Audit: Enforcers of Compliance
Given the scope of managing permissions at the enterprise level, however, this constant vigilance against privilege sprawl cannot be achieved without automation. Governance and audit teams have traditionally applied vast resources to tedious access reviews which, in the best case, result in very slow remediation or, in the worst case, produce a meaningless “rubber stamp,” that gets an organization through the necessary regulatory tape to continue operating. Manual attempts to audit access leave governance teams set up for failure. Unfortunately, legacy Identity Governance Administration (IGA) tools don’t provide much help, either. Designed for an on-prem environment, IGA tools only track identities associated with an org’s HR system (known humans in known systems), often missing critical access to systems adopted outside of IT cycles or, again, permissions granted to NHIs.
The Road to Least Privilege: Securing Non-Human Identities (NHIs)
Thriving towards the principle of least privilege is a team sport, and the failure of one department can have ripple effects across the entire organization. On the other hand, when identity security is placed at the forefront of an organization’s key initiatives, the benefits are felt across teams and the entire enterprise.
You may have noticed that NHIs were mentioned many times throughout this article, often sitting at the core of each aforementioned issue: visibility, scale, tooling, and more. This is a small visual representation of the massive role NHI management plays in identity security today. Security teams are being forced to rework their perception of “identities,” accepting that access granted to non-human users is still access. Bad actors take an equal-opportunity approach to breaches; they’ll exploit any set of permissions they can, whether applied to a human or service account.
Given the immense potential for identity blindspots associated with the ever-expanding number of NHIs, it is critical that security teams adopt strategies for securing NHIs into their overarching security posture. I highly encourage every practitioner to attend Veza’s upcoming NHI Summit 2024 to do just that: explore new strategies for managing NHIs, collaborate with other security professionals on NHI access philosophy and adopt a plan of action to take back to their organization. Registration for this value-packed summit is now open; click here to save your spot.
Identity security is an enterprise-wide challenge that requires collaboration from every team. When organizations can confidently answer, “who can take what action with what data?”, least privilege is within reach.
Making least privilege a reality at the enterprise level is Veza’s mission. We believe that automation is the future of identity security and we’re building every day to help organizations realize a future of complete visibility, automatic remediation and continuous compliance. Learn more about Veza’s automated access revocation and access remediation.
Want more identity related content?