Identity and authorization management is a headache for the IT department


According to research by Veza, a security player, the average US company has about 1,400 authorizations for each employee. Digital transformation is accompanied by an increase in the complexity of access authorizations. Precise privilege management is becoming increasingly important.

Correct application identities is imperative to reducing the company’s attack surface. The link analyzed 1.2 billion permissions, including those assigned to all employees, contractors and machine identities such as service accounts. The American company explains that this represents 1,400 authorizations per employee, which is a huge figure for IT department teams.

It is still necessary to include inactive and unattended accounts as the latter, if compromised, can offer a major attack vector for hackers. Graphics
below shows that the most common identity management platforms are Microsoft’s Azure Active Directory (56%), Okta (53%) and Active directory, Microsoft’s local LDAP directory (41%). Note that 30% of organizations use both AzureAD and Okta.

Many machine identities

There are many more machine identities called NHIs (non-human identities), by a ratio of at least 17 to 1, compared to human identities. A typical organization adds thousands of service accounts as applications increasingly need to interact with cloud services such as AWS, Azure, and GCP.

A considerable number of groups and roles

In short, a company with 1,000 employees is trying to manage almost 700 groups. Meanwhile, new applications require thousands of roles each, such as Snowflake (2,188 roles) and Salesforce (4,504 roles). Custom apps add an average of 2,836 roles per organization

Pervasive Implicit Privileges

Although only 0.1% of identity platform users are explicitly designated as privileged accounts (eg administrators), privileges implicit ones abound. Another instructive indicator is that 34% of all effective permissions monitored by Veza have the option to delete data. For example, 17% of Snowflake roles can delete data, as can 30% of AWS IAM roles.

Unused permissions need to be fixed

Teams responsible forIT’S ME (Identity and Access Management) can quickly achieve an effective first result by applying the principle of least privilege to inactive users. This represents 16.5% of all permissions granted to users on identity platforms including Microsoft Active Directory and Azure AD. Almost all Snowflake and AWS IAM users use less than 20% of the resources they have access to. This raises the question of optimizing digital resources.

Finally, the adoption of multi-factor authentication (MFA) can still be perfected even if it is widely used today. So, among the millions of identities tracked by Veza, 13% of users still haven’t activated MFA.



Source link

Leave a Comment