“Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.
Take a lesson from The Clash’s hit song and make “If I go there will be trouble, and if I stay it will be double,” your mantra when it comes to managing employees’ access. Modern machine learning and user-based analytics can transform how you intelligently limit access for employees, especially when it comes to de-provisioning users.
What happens when employees have access to data, apps or services that they shouldn’t? Best case scenario: they might know the salaries of all their colleagues and company execs. Worst case scenario: malicious actors exploit that access and extract sensitive business data, causing millions of dollars in damage and irreparable harm to brand reputation.
In past blogs, I wrote how security starts with protecting users and that by verifying the user we greatly reduce the attack surface from “all humans” to just those you actually trust (aka your employees). I also wrote that we want to make sure every device is being used in a secure manner. In other words, by validating every device, we reduce the attack surface even more by limiting the devices that gain access from billions of computers, phones, or tablets to just the select few in the user’s possession.
Verifying users and validating devices represent steps one and two on the road to Zero Trust. But while this combination drastically improves security posture, more layers are necessary to guarantee risks of fraudulent access are no more. Just because a person is who they say they are — and are using a trusted device — doesn’t mean that they should have broad access rights beyond what they need to do their job. Whether by accident or malicious intent, insiders can still misuse their access — or share access with people whom they shouldn’t.
To stop this from happening, you need to vastly reduce the risk associated with the access rights each user has. We do this by limiting user access (even to verified users and validated devices) to only those apps and resources that they need to do their job, and to only when they specifically need to do it. This is step number three that completes the trinity of a Zero Trust security approach: “Verify every user, validate their devices, and intelligently limit their access.”
“One day it’s fine, the next it’s black.” (The accumulation of access creates huge dangers.)
Companies typically grant access to necessary apps and resources as they onboard employees. When an employee moves on, either up the ranks or out the door, we tend to forget about those original grants. We’re all guilty of this. For example, I’m now head of marketing at Idaptive, so I shouldn’t have access to our product source code the same way I did back when I was a product manager. The accumulation of access to data, apps, and services creates serious risks. Instead, we must tailor that access to just what a person needs for the job they perform today — and automatically remove that access when they leave.
That’s easier said than done for IT teams (and sometimes HR) who historically had to manually provision and deprovision users — or at least manually write the rules for role-based access control programs. Someone had to tell IT that an employee’s role had changed, and then IT would have to figure out how that relates to the access that they should or shouldn’t have. We often refer to this process as “lifecycle management,” and provisioning is just one piece of this mammoth responsibility that enterprise teams are tasked with managing.
The role of lifecycle management in the Zero Trust model is critically important because it determines who has which rights on which systems and applications. You can ensure that a user only has access to what he needs to do his job, create reliable reports, and audit those rights at any given time.
IT staff knows that accounts are difficult to manage because:
- Employees are often given more access than they need.
- Access frequently follows them through the course of their tenure at an organization.
- They amass more and more rights over time — even as their positions and roles change.
- Unused accounts and accounts for employees and other users who no longer need them also tend to stay around longer than they should.
Some form of automation and automatic deprovisioning is required. Combining self-service, workflow, and provisioning automation can ensure that users only receive the access they need, help them be productive quickly, and automatically remove their access as their roles change or when they leave the company.
Even if you don’t have hands-on experience with lifecycle management, it’s not hard to see how this spreadsheet-style or “swivel chair” provisioning access can snowball into something both time-consuming and error-prone — leading to an accumulation of access over time. And when employees have access to things they shouldn’t, attackers know that a simple phishing attempt is all it takes to gain insider access and wreak havoc on business systems.
“You Gotta Let Me Know.” (Provisioning and Lifecycle Management enhances visibility and control.)
If you’re saying right now “there has to be a secure, more efficient and maybe even automated way to do this,” you’d be right. The answer lies within a Zero Trust approach powered by Next-Gen Access identity technology.
With Provisioning and Lifecycle Management you can enable users to request access to applications from the app catalog of pre-integrated applications, provide specific users the ability to approve or reject these access requests, and automatically create, update, and deactivate accounts based on roles in your user directory. Provisioning enables users to be productive on day one with the appropriate access, authorization, and client configuration across their devices.
Lifecycle Management should also seamlessly import identities from your preferred HR system or application, including Workday, UltiPro, BambooHR, or SuccessFactors, and provision them (typically) to Active Directory. This enables you to unify your provisioning and HR workflows and have an HR-driven primary system of record for user data across all your applications.
By way of example, with Active Directory (AD) synchronization for Microsoft Office 365, you can keep your AD accounts and Office 365 accounts in sync and automatically provision and deprovision user accounts, groups, and group memberships to simplify Office 365 license management.
Lifecycle Management not only can save IT teams a great deal of time and frustration, but it can ultimately save companies from crippling data breaches. Such is the power of intelligently limiting access as part of a Zero Trust framework.
Read the Zero Trust series here:
Zero Trust Series – 1 What Is Zero Trust and Why Is it So Important?
Zero Trust Series – 2 Like the Night King, Perimeter Defense is Dead
Zero Trust Series – 3 Imposter Syndrome: Why You Can’t Separate the “Good Guys” from the “Bad Guys”
Zero Trust Series – 4 Passwords are Just one Piece of the Cybersecurity Puzzle
Zero Trust Series – 5 The Future of Cybersecurity is Artificial: Intelligence Will Transform Enterprise Governance
Zero Trust Series – 6 Protect, Detect, Deter, Respond is Not a Security Strategy.
Zero Trust Series – 7 Upping the Security Ante: How to Get Teams’ Buy-in for Zero Trust
Zero Trust Series – 8 Next-Gen Access and Zero Trust are the PB&J of Security
Zero Trust Series – 9 Passwords Need Fixing. Zero Trust is the Solution.
Zero Trust Series – 10 The One-Two Punch of Zero Trust. Verify Every User, Validate Every Device.
Zero Trust Series – 11 “Should I Stay or Should I Go?” Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma.
Zero Trust Series – 12 Grow Up! Plotting Your Path Along the Zero Trust Maturity Model
Corey Williams
Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO), Adaptive Multi-factor Authentication (MFA), endpoint and mobile context, and User Behavior and Risk Analytics (UBA).
While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.
Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.
Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods).
Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University.
CHAMELEON-LIKE SUPERPOWER
If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”