Cloud Hosting

What happens when employees have access to data, apps or services that they shouldnt? Best case scenario: they might know the salaries of all their colleagues and company execs. Worst case scenario: malicious actors exploit that access and extract sensitive business data, causing millions of dollars in damage and irreparable harm to brand reputation.

In past blogs, I wrote how security starts with protecting users and that by verifying the user we greatly reduce the attack surface from all humans to just those you actually trust (aka your employees). I also wrote that we want to make sure every device is being used in a secure manner. In other words, by validating every device, we reduce the attack surface even more by limiting the devices that gain access from billions of computers, phones, or tablets to just the select few in the users possession.

Verifying users and validating devices represent steps one and two on the road to Zero Trust. But while this combination drastically improves security posture, more layers are necessary to guarantee risks of fraudulent access are no more. Just because a person is who they say they are and are using a trusted device doesnt mean that they should have broad access rights beyond what they need to do their job. Whether by accident or malicious intent, insiders can still misuse their access or share access with people whom they shouldnt.

To stop this from happening, you need to vastly reduce the risk associated with the access rights each user has. We do this by limiting user access (even to verified users and validated devices) to only those apps and resources that they need to do their job, and to only when they specifically need to do it. This is step number three that completes the trinity of a Zero Trust security approach: Verify every user, validate their devices, and intelligently limit their access.

Companies typically grant access to necessary apps and resources as they onboard employees. When an employee moves on, either up the ranks or out the door, we tend to forget about those original grants. Were all guilty of this. For example, Im now head of marketing at Idaptive, so I shouldnt have access to our product source code the same way I did back when I was a product manager. The accumulation of access to data, apps, and services creates serious risks. Instead, we must tailor that access to just what a person needs for the job they perform today and automatically remove that access when they leave.

Thats easier said than done for IT teams (and sometimes HR) who historically had to manually provision and deprovision users or at least manually write the rules for role-based access control programs. Someone had to tell IT that an employees role had changed, and then IT would have to figure out how that relates to the access that they should or shouldnt have. We often refer to this process as lifecycle management, and provisioning is just one piece of this mammoth responsibility that enterprise teams are tasked with managing.

The role of lifecycle management in the Zero Trust model is critically important because it determines who has which rights on which systems and applications. You can ensure that a user only has access to what he needs to do his job, create reliable reports, and audit those rights at any given time.

IT staff knows that accounts are difficult to manage because:

Some form of automation and automatic deprovisioning is required. Combining self-service, workflow, and provisioning automation can ensure that users only receive the access they need, help them be productive quickly, and automatically remove their access as their roles change or when they leave the company.

Even if you dont have hands-on experience with lifecycle management, its not hard to see how this spreadsheet-style or swivel chair provisioning access can snowball into something both time-consuming and error-prone leading to an accumulation of access over time. And when employees have access to things they shouldnt, attackers know that a simple phishing attempt is all it takes to gain insider access and wreak havoc on business systems.

If youre saying right now there has to be a secure, more efficient and maybe even automated way to do this, youd be right. The answer lies within a Zero Trust approach powered by Next-Gen Access identity technology.

With Provisioning and Lifecycle Management you can enable users to request access to applications from the app catalog of pre-integrated applications, provide specific users the ability to approve or reject these access requests, and automatically create, update, and deactivate accounts based on roles in your user directory. Provisioning enables users to be productive on day one with the appropriate access, authorization, and client configuration across their devices.

Lifecycle Management should also seamlessly import identities from your preferred HR system or application, including Workday, UltiPro, BambooHR, or SuccessFactors, and provision them (typically) to Active Directory. This enables you to unify your provisioning and HR workflows and have an HR-driven primary system of record for user data across all your applications.

By way of example, with Active Directory (AD) synchronization for Microsoft Office 365, you can keep your AD accounts and Office 365 accounts in sync and automatically provision and deprovision user accounts, groups, and group memberships to simplify Office 365 license management.

Lifecycle Management not only can save IT teams a great deal of time and frustration, but it can ultimately save companies from crippling data breaches. Such is the power of intelligently limiting access as part of a Zero Trust framework.

Continue reading here:
Should I Stay or Should I Go? Artificial Intelligence (And The Clash) has the Answer to Your Employee Access Dilemma. - Security Boulevard