Compliant Access Problem Statement

Overview

Organizations are undergoing a dramatic transformation as they realign their business models and sharpen their value propositions for the digital age. This “Digital Transformation” is the very key to an organization’s survival and a clear and effective strategy is essential in ensuring they achieve maximum impact with delivering their mission. Two key components make up an effective digital transformation strategy: to leverage technology to deliver your organization’s key value proposition better, and to outsource/offload areas that aren’t core to your business.

This strategy has proven successful but, unfortunately, has often led to a fragmented heterogeneous digital landscape in an “employ the best technology wherever you may find it” approach. Admittedly, this does increase worker productivity, agility, and an organization’s ability to collaborate and innovate, but the downside is that users are consuming a patchwork of applications and services (and often from hundreds of providers in the course of their daily work). This practice further complicates and creates new challenges for IT security and compliance teams who must deliver access and ensure compliance for an ever more complex web of on-premise and cloud applications at all times.

In this short article, we will look at the key challenges that organizations face in providing compliant access delivery for cloud and on-premise applications, including:

  • Access Delivery for New Employees
  • Defining Compliant Access for an Organization
  • Inefficient Access Self-Service
  • Outsourced Access Delivery
  • Password Problems
  • Delivering “Real-Time” Compliant Access
  • Verifying Access Compliance

Key Challenges

Access Delivery for New Employees

The first challenge encountered is the number of applications that users require. According to Okta’s recent report, this number has increased to an average of 129 apps—a 68% rise over the past 4 years (2019). However, they also show that approximately 10% of businesses have more than 200. As shown in Figure 1, his is also supported by Blissfully, whose findings state the average number of SaaS apps per for large organizations is 203 (2019)

This app accumulation is, of course, once users have actually been provisioned. Provisioning appropriate “birthright” access for a new employee’s first day is challenging for many organizations. It’s often incomplete and leads to days of lost productivity waiting for access to what they need to perform the very basic of tasks. This lost productivity is both a financial and a reputational cost to the organization: you only ever get one first impression. Unfortunately, the same can be said for onboarding partners and suppliers. The handling processes for non-employees are usually different, but there is a far too often uncanny and unwelcome similarity that sees both fall between the cracks of unclear lines of responsibility and lax controls.

Figure 1 - Number of Apps Per Company (Forrester, 2017)

Defining Compliant Access for an Organization

The volume of work required to provision Compliant Access to such a large number of systems isn’t the sole challenge here. Indeed, the lack of a definition for provisioning appropriate access for each type of employee or supplier to each of these hundreds of systems further complicates the issue.

Commonly, this lack of role definition means appropriate and correct access assignments for specific positions are, quite simply, unknown. Lacking such guidelines, IT organizations are unable to automate the assignment and revocation of access. Consequently, their only recourse is to resort to more costly and inefficient manual processes.

Indeed, one all too widespread practice is for IT staff to clone access from users in similar job positions. The references they use are, typically, from users who’ve been with the company for a prolonged period. This is because, from the admin’s perspective, it’s going to remove any provisioning issues or headaches and, of course, get the new user ‘up and running’ quickly. However, because of their very longevity, these users likely occupy multiple positions and have accumulated access that a new employee does not need and which will likely make them non-compliant. This lack of appropriate access definitions for job positions make it unlikely that, when employees move between roles or departments, access is ever removed.

93% of employees agree a good onboarding experience is critical to influence a new hire's decision in staying with the organization, yet 29% of employees don't think their organization did the right things in onboarding to help them prepare and begin their new role

CAREERBUILDERCEO & 2018

Inefficient Access Self-Service

If the reference user does not have all the entitlements required for the new user, then additional access must be manually requested. Either the new employee’s manager will do this, in advance of the new employee’s arrival, or it will be done by the user themselves on their first day. Unfortunately, these paper or electronic requests often present users with unrecognizable technical names and confusing descriptions—they neither know the company, the naming conventions used, nor what they need access to. As they are unable to identify what they need on the form itself, this often results in users resorting to filling in the manual note section and attempting to describe the access they want. This not only dramatically increases the cost of fulfilling requests but also leads to larger numbers of errors and new security vulnerabilities. Furthermore, a significant percentage of access coming from manual non role-based requests greatly increases the workload of managers during access recertification. This is due to both the volume of direct technical entitlements as well as to a lack of clarity in their meaning.

Outsourced Access Delivery

The lack of a role-based definition for Compliant Access eliminates the opportunity to automate access management. This, in turn, leads to a large volume of costly manual tasks to manage access as well as to fulfill end-user access requests. These end-user requests often lack clarity, thereby further decreasing the efficiency in processing them in volume. This all contributes to the huge workload of access management tasks for hundreds of heterogeneous systems that are impossible for organizations to process quickly. If you think that sounds expensive, that’s because it is. Unfortunately, and all too frequently, the need to bow to budgetary pressures and restrictions sees most large organizations outsourcing this work to the lowest offshore bidder.

Naturally, the sheer volume of these manual access management tasks and the number of systems involved necessitates large teams to manage them. The major issue here is, with using outsourced contractors, all are given direct access to the applications’ admin consoles and with privileged user credentials. Even worse is these outsourced teams have high employee turnover rates. This creates three distinct problems: First, this necessitates constant and expensive retraining on the application-specific user interfaces and security models needed to manage access for hundreds of applications. Second, and a major red flag severe security threat for your Enterprise, is the sheer number of privileged admins that exist in this rapid turnover external user population. And third is the large attack surface you’ve given them admin access to.

Note: according to Forrester, in 2017, 24% of attacks were via an internal attack. However, and as shown in Figure 2, 50% of these were due to malicious intent (2017).

Figure 2 - Causes of confirmed breaches in the past 12 months (Forrester, 2017)

Partners are another source of external privileged admins. As part of their Digital Transformation strategy, organizations are committing to much deeper relationships with their suppliers and partners. The potentially huge number of external people requiring access prompts many organizations to outsource a large percentage of the responsibility to the partners themselves. Designated partner admins in the partner organizations are granted the authority to manage identities and access for their people. From their perspective, this helps ease the burden; but, from your organization’s perspective, this again opens the door on many potential security risks and complicates your delivery of Compliant Access.

Password Problems

Once your users have been provisioned with their Compliant Access, the next challenge for them is the impossibility and frustration of knowing, remembering, and maintaining the 10’s to 100’s of usernames and passwords for the applications they need to use and access. As we know, each system often has its own password complexity and change-frequency requirements. Managing this overwhelming collection of unique and difficult to guess passwords in a compliant fashion is asking too much. As a result, the user opts to use one or two passwords for all systems (according to Forrester, 42% say they prefer to remember their passwords (2018, p. 5)). This not only eliminates the benefits of all the password complexity and other security measures that are in place, but also means that a hacker can uncover a single password and quickly compromise all the user’s other applications.

I tend to remember my passwords without storing them anywhere

42%

Write down passwords in a notepad

17%

Write down passwords in a file/document on my device and protect by password

13%

Email passwords to myself

11%

Store passwords by specialized software on my device (e.g., KeePass, Dashlane)

11%

Store passwords in an online, cloud-based service (e.g., LastPass)

9%

Store passwords in the browser on my device

9%

Write down passwords in a file/document on a removable device (e.g. USB Stick)

9%

Write down passwords in a file/document on my device in a plain, unprotected format

9%

Write down passwords on a sticker that is stored near my computer

7%

Don't know

4%
Figure 3 - Workplace Password 'Management' Practices (Forrester, 2017)

It’s clear to see that, when the true identity of the user cannot be verified or trusted or where a breakdown in security controls from the password-only model is concerned, it’s difficult, if not impossible, for an organization to deliver Compliant Access to applications.

A related password problem for organizations is how they handle the situation where a user becomes locked out or forgets a password. The volume of such requests is not only quite high but is often cited as the largest component of helpdesk expenditures (according to Forrester, several large US organizations allocate $1 million towards password-related staffing and infrastructure expenses (2018, p. 2) ). Similarly, as with access management tasks these activities are outsourced to low-cost 3rd party service providers. This creates a large population of loosely managed external privileged users that can reset other user’s passwords and, potentially, take over these accounts for malicious purposes.

Delivering “Real-Time” Compliant Access

A different type of battlefront in delivering Compliant Access is the control of “real-time” access to web applications, APIs, and servers. The primary risks here are weak identity verification based on passwords and the granting of all or nothing unmonitored access without the ability to monitor user activities.

Granting static unmonitored access places an organization in a difficult, unwanted position. First, it loses its ability to ensure that users are acting within the appropriate range of activities for which access was granted. Second, it’s impossible to ascertain and verify that data privacy policies were observed throughout the session. When this occurs, users are typically granted permanent, privileged access to servers, APIs, and legacy on-premise web applications without the ability to either strongly verify their user identity and their device or to monitor their activities. Thereby creating this security blind spot where you are both unable to ensure that only compliant activities are performed and also lack the required audit information to later perform a security investigation into any subsequent hacking or privilege misuse.

Verifying Access Compliance

With a new regulatory alert issued every 9 minutes, what are you doing to stay compliant?

Thomson Reuters Regulatory Intelligence2019

A practice employed by regulated and security conscious organizations is the periodic review of access assignments. This ensures that they are still in compliance with the risk policies of the organization and are also appropriate for the job duties of the person to whom they are assigned. As mentioned, due to the large number of systems accessed by the average user, as well as the static nature of the access assignments, this is a daunting task. The most common type of recertification is the manager’s annual recertification of employee’s access assignments. Here, managers are presented with a list of their employee’s direct reports and access assignments. Due to a lack of automation and role-based access definition, it’s possible for each user to have hundreds of individual access assignments. Each of which must be reviewed. These technical entitlements are, by nature, specific to each of the systems for which they grant access and are likely named using some form of cryptic, non-business-related, and hard to understand terminology. The manager must then review each assignment and state whether access is appropriate, still required, or whether or not it should be revoked.

The complexity here is that, though managers do understand the activities that are appropriate for their own direct reports, organizations lack a way to map which business activities are granted by each technical entitlement. This lack of business meaning, combined with the volume of decisions to be made, often leads to “rubber stamping” of access assignments without proper analysis. As a result, though the recertification process does check off a requirement for regulatory compliance, from an organization’s perspective, it’s merely a bogus necessity rather than being a reliable tool to enhance their overall security and reduce their risk profile.

Summary

To remain competitive, organizations must undergo a digital transformation, and both understand and embrace the two key components of this transition. First, leveraging technology will better strengthen and deliver their core proposition, and second, offloading or outsourcing all non-critical elements will ensure there’s no dilution or weakening of their market position. Sadly, for many organizations, this has seen a rash adoption of technologies and several unplanned consequences. Namely, a fragmented digital landscape with what amounts to a legal and compliance disaster. A disaster from which, unless they address the key challenges outlined in this short report, they may struggle to recover.

References

Blissfully. (2019). 2019 Annual SaaS Trends Report. Retrieved Decemebr 4, 2019, from Blissfully:https://www.blissfully.com/saas-trends/2019-annual/#ftoc-heading-2

CareerBuilder. (2018, October 30). Job Seekers Are Now in the Driver's Seat and Expect Next-Gen Recruiting and New Hire Experiences, Survey Finds. Retrieved December 16, 2019, from PR NewsWire: https://www.prnewswire.com/news-releases/job-seekers-are-now-in-the-drivers-seat-and-expect-next-gen-recruiting-and-new-hire-experiences-survey-finds-300740167.html

Forrester. (2017). Forrester Data Global Business Technographics® Security Survey. Cambridge, MA: Forrester.

Forrester. (2017). Forrester Data Global Business Technographics® Workforce Benchmark Recontact Survey. Cambridge, MA: Forrester.

Forrester. (2018). Best Practices: Selecting, Deploying, And Managing Enterprise Password Managers: Solutions Reduce The Risk Of Breaches From Compromised Credentials. Cambridge, MA: Forrester. Retrieved December 3, 2019, from https://keepersecurity.com/assets/pdf/Keeper-White-Paper-Forrester-Report.pdf

Okta. (2019). Businesses @ Work. Retrieved Demember 16, 2019, from Okta: https://www.okta.com/businesses-At-Work/2019/

Thomson Reuters Regulatory Intelligence. (2019, February 4). State of Regulatory Reform. Retrieved December 16, 2019, from Reuters: https://blogs.thomsonreuters.com/answerson/top-10-concerns-for-u-s-compliance-officers-in-2019/