By Rita Gurevich

Rita Gurevich

Today’s organizations are inundated with a relentless stream of alerts from up to 76 different security tools in their arsenal, an increase of 18% from 2019 to 2021. Although advancements in tooling are necessary to combat shifting attack methods, the industry needs to approach the rising increase in data breaches in a fresh, strategic way.

Privilege misuse remained a top cause of financially motivated security incidents in 2021, with the majority of incidents resulting in data compromise, according to Verizon’s annual Data Breach Investigations Report (DBIR). The task at hand is clear — organizations need to look beyond tooling toward a complete shift in the way they approach identity and access management (IAM). More importantly, how they approach identity hygiene.

Put simply, identity hygiene consists of the activities organizations and individuals perform regularly to maintain the security of their data, infrastructure and applications. The goal of true identity hygiene is to ensure that the right people have access to the right information at all times, so an organization’s crown jewels are protected. Below, I will discuss a few challenges and common mistakes that hamper identity hygiene, along with practical steps IT and security leaders can take to ensure their identity hygiene programs are successful.

Stumbling Blocks on the Road to Identity Hygiene Success

As an IT practitioner and leader, you invest mounds of time and resources to solve complex issues derived from managing access across on-premises and cloud environments. That’s a pretty big burden to carry, and it’s understandable that in the rapid shift to the cloud, your teams are trying to keep their heads above the water.

One of the most challenging identity roadblocks in the industry is data correlation. This aspect of identity hygiene involves examining a company’s security policy, reviewing the target operating model (aka, the desired state of operation) and defining the discovery phase. Once all these pieces are in place, the data correlation process answers the question of “Who has access to what, why, and when at all times?” across the enterprise.

Another tripping point organizations are facing is the inability to take the IAM program to the finish line, or in other words, incomplete implementation. When there is incomplete implementation, it’s usually because IT teams lack a well-defined blueprint for guiding the entire life cycle program day by day, including priorities, sequences, budgets and staffing. Incomplete implementation can also mean a disorganized, or absent, “responsibility matrix.” In simpler terms, your enterprise may lack a clearly defined desired state of operation. To go even further, many enterprises are missing a proper transition from implementation to support. This creates a huge vulnerability among relevant IAM controls. It’s one thing to launch a program and another thing entirely to continue supporting it. Having a healthy system of transition is also key to ensuring consistency in program operations, regardless of who is managing it. Full documentation of a program’s blueprint lays the foundation for continued quality and success amid personnel changes.

Build Identity Hygiene Program Block by Block

It’s not easy to manage IT infrastructure, and cleaning up permissions and entitlements can be tedious. But there are building blocks you can begin setting in place that will lead to sustainable, transformational identity hygiene across the business. Let’s start with a high-level overview of what an effective IAM program should involve — the design, the build and the implementation.

The design stage is where the tech architecture blueprint is mapped out. As mentioned above, this is where key IT and security leadership come together to lay out all priorities, sequences, available budgets, and staff breakdowns. When there is an overarching plan to always fall back on, teams can spend their time and energy on their business, rather than investing valuable resources on baseline security. The build stage is where you will implement the data sources required to build the landscape of controls needed to initiate identity hygiene. The implementation stage is where the program will pick up speed, consisting of the review, reporting and remediation of potential issues identified during the previous stages. IT infrastructure teams should also be cognizant to monitor and mitigate risks continuously. Setting key performance indicators (KPIs) that are uniform across multiple teams should be in parallel with the long-term blueprint in the design stage. As you can see, these stages are a cycle of moving parts, dependent on each other for a successful program rollout.

Additional steps within the implementation stage that are very relevant to success involve defining what the crown jewels of your organization are, especially if you work in highly regulated industries with sensitive financial or health data. Defining the pillars that make up your IAM program is critical so that the entire initiative is well-divided. These pillars include identity management, access management, and privileged access management.

Reaching Identity Hygiene Maturity

Although these building blocks provide a way to break down your identity hygiene action plan, you must keep in mind that …

… IAM programs are on-going, multiphase, multiyear initiatives. Achieving a maturity level takes time and resources, and is an ongoing process of pivoting to address changes in the threat landscape as well as the expanding number of attack surfaces. A mature identity hygiene program needs strong communication channels with an organization’s most valuable assets: its people. Some organizations tend to believe that IAM challenges can be resolved solely by tooling, but this is far from the truth. Your people must be in the loop at all times, with ongoing training sessions to guarantee the success of the implemented tools.

One example of an organization that was able to successfully spearhead identity hygiene was a global investment bank our team worked with recently. With over 50,000 employees and more than 100 locations in 40 countries, the environment they managed was immense. They had over a billion permissions and over 500 servers, including billions of folders and files both on-prem and in the cloud. Talk about a large attack surface! By walking through the stages of design, build and implementation, they discovered that with the incumbent processes in play, they were only covering about 10% of the entire environment, and were able to successfully implement missing data and control gaps.

Regardless of how large your organization is or how complex your web of identities may be right now, there is always a pathway toward reduced risk and ongoing access control management.

IAM is the core of an information security program, but the narrative in the cybersecurity industry is frequently focused on attacks coming in rather than the inadequate defenses that allow for the attacks to wreak havoc. Cybersecurity, after all, is really a data management issue. It’s time organizations say goodbye to open and inappropriate access and adopt holistic identity hygiene to improve the quality of their data and reduce the risk of debilitating ransomware attacks.

Rita Gurevich is the CEO and founder of Sphere, which offers end-to-end access management. She leads the strategic growth and vision for the organization that provides critical governance, security and compliance solutions centered around access control. Gurevich began her career at Lehman Brothers and helped oversee the distribution of technology assets after their bankruptcy in 2008, giving her understanding in analyzing identities, data platforms, and overall application and system landscape distributed across all the buying entities. You may follow her on LinkedIn or @SPHERETechSol on Twitter.