Account creation is no longer as simple as entering a username and password. At least, in the modern enterprise, where a login often means unlocking access to applications, system and networks. IT leaders face the challenge of balancing accessibility with the protection of the valuable data held within. And at a time when the average organization’s employees are using 1,000+ separate apps.
That’s a lot of user profile details, associated privileges, integrations with necessary directories, third-party applications and real-time data sources. Ensuring that entry points to corporate systems are auditable and visible, especially when accessing sensitive and confidential data, adds to the challenge.
Identities have changed
Problems starts appearing when the process has to be repeated every time a user needs access to a new service, product or folder. The term ‘user’ includes not only employees, but also verified entities such as applications, devices and IoT. Plus contractors, partners and other third parties who aren’t part of an organization but need access.
This balance of accessibility and security isn’t something that the traditional approach, with network admins taking care of usernames and passwords, was designed for. Here’s where the process goes beyond simple account creation, and toward identity creation. Multiple identities require more control for administrators, and lead to less visibility when it comes to audits and meeting governance standards.
There are also the increased financial overheads, from requiring data to be stored to meet regulatory requirements, or simply protecting and securing the sprawling number of accounts and repositories. Some identities may be located in the cloud, while others are on-premises. Without a unified method of gathering identity data, including attributes and roles, there’s impact on authentication and authorization policies too.
This fragmentation is a form of identity sprawl. And it’s affecting organizations in a number of ways.
What is identity sprawl?
Most definitions of ‘sprawl’ will include references to developing irregularly or carelessly, and without restraint. In the enterprise, any carelessness or irregularities with identities usually has serious consequences.
Sometimes it’s necessary for an employee to have multiple identities, to access specific resources held in different environments. The risks come when those identities aren’t orchestrated and controlled. They start to sprawl.
For IT leaders, manually managing identities at scale can soon become impossible. Errors can creep in when manually updating controls and privileges. Meanwhile, ever-growing diversity and complexity limits visibility, and leads to silos.
When identity data sprawls, it becomes duplicated at best, and a threat vector at worst. That’s why it’s no longer practical to address the symptoms or remediate the results of identity sprawl. Instead, it’s about tackling the causes.
What causes identity sprawl in enterprises?
Every time an identity tries to gain access, organizations are tasked with:
- Verifying the identity by using strong authentication methods
- Making sure resulting access meets relevant compliance and governance standards
- Applying the Principle of Least Privilege to implement data control
Organizations must be able to adapt to match the increased volume of identities, while ensuring the necessary levels of security. Naturally, this form of scaling and securing presents plenty of challenges, such as when a service can’t synchronize with a central directory. This leaves the user no choice but to create multiple identities: a structural issue that can’t be solved by patching or upgrading.
Further structural issues include:
Lack of interoperability
When systems and directories are siloed, users have to create multiple identities to gain access. There may be different formats and standards used for storing identity data, spanning cloud-based to legacy systems. Organizations may resort to using unsecure APIs or connectors that require human input to maintain and manage.
Remote working meets SaaS
Even before the pandemic, workers were shifting to remote working, outside of the traditional office-based security perimeter with its firewalls and clear entry and exit points. Hybrid – in the form of cloud and the way of working – was becoming the norm.
This distributed approach means incorporating SaaS for instant messaging, live video calling and videoconferencing software, and various third-party collaborative tools. For users, this means multiple identities, logins and passwords to manage. For administrators facing this sprawl, there are various permissions, access controls and security considerations to factor in. Plus, increased time spent on provisioning and deprovisioning resources and integrations.
Mergers and acquisitions
Identity sprawl also occurs within companies who are scaling and become involved in mergers and acquisitions. There can be legacy systems to incorporate, and infrastructure deployed across different geographies. There may be distributed networking and architectures, such as a cloud-native SASE alongside an on-premises SIEM.
For those responsible for maintaining identity and access management, identity sprawl means multiple risks.
What are some of the main risks around identity sprawl?
When every identity is an attack vector, organizations are left vulnerable to:
Password-based security breaches
The larger the scale of information to be protected, the greater the attack surface. At the same time, users are expected to apply certain levels of security for every new account, such as selecting unique passwords. However, for a typical user with 22 accounts, up to 16 passwords are reused. This form of password fatigue leaves organizations more vulnerable to credential stuffing attacks, when one compromised identity can give attackers access to multiple resources.
Lack of visibility for effective governance
The more identities that exist, the more difficult it is to ensure the correct access policies are assigned. Inconsistent data makes it more likely that incorrect access permissions and privileges are granted. Corporate assets can be orphaned, without account owners to make sure Intellectual Property and other valuable data is governed correctly.
Restricted ability to demonstrate compliance
Organizations must ensure accurate reports and logs of user activities. But if identities aren’t known, they can’t be monitored, managed or secured. This poses risks for organizations required to show compliance with data protection regulations such as GDPR, or industry-specific Acts such as HIPAA and rules around ‘impermissible uses or disclosures’ of personal data.
What are some best practices for securing and managing identity data?
Identities must first be controlled at a global level, with real-time monitoring of access requests, behaviors and potential anomalies. This allows IAM leaders to:
Centralize and synchronize identities
Consolidation should be the goal for organizations facing identity sprawl, to manage the discrepancies that need to be reconciled to understand how different identities are interacting.
Of course, this relies on knowing what systems you’ve got. That’s not easy, with the long-recognized risks of Shadow IT now joined by shadow AI, which Forrester expects to "spawn as organizations struggling to manage regulatory, privacy, and security issues won’t be able to keep up with widespread bring-your-own-AI (BYOAI)."
Automate offboarding of users at scale
Offboarding users is often when vulnerabilities appear. Identities will have privileges or rights to sensitive areas of the business. Devices can be wiped remotely but may need to retain data for compliance reasons.
Synchronize with a centralized IAM service such as Microsoft Entra, and administrators can automatically receive alerts when a removed identity means an orphaned resource, such as a SharePoint site with an owner that has exited the company.
Deploy single sign-on and harden the overall posture
SSO means that users don’t have to repeatedly share identity data and enter credentials when logging into apps and services. Instead, they access what’s needed using one identity, and one login. To harden security further, deploy another layer ranging from multi-factor authentication, passwordless authentication or physical security keys.
Implement role-based forms of access control
It’s one thing to provide SSO, MFA and centralized access to applications. However, this needs governance with fine-grained access controls, to minimize the risks from privilege escalation attacks, a primary attack vector for enterprises. This also allows for more integrated, unified and granular records and logs.
To deliver this at scale, there needs to be integrations and automations to support role-based access control. These should include when to modify, limit and terminate access. Plus, real-time monitoring of certifications, to ensure users are still permitted to access the data they need.
Heighten employee awareness and knowledge
Employees, and their identities, represent the new perimeter for information security. At the same time, they’re decentralized in a physical sense, working in distributed sites and with their own devices. These two areas are where education should start. There needs to be regular training on how to connect securely, best practices for confirming identity, alongside access and expiry policies for using devices to authorize and authenticate.
Gain executive buy-in to change internal behaviors
This needs discussions with decision-makers about the business impact of reducing identity sprawl. Going beyond the technological impact of multiple policies, and talking about the risks.
Senior buy-in also helps smooth any problem areas that come when teams want to manage their own identities, because they feel they’re potentially giving up control. It may take someone with the necessary levels of influence to take charge and bring different areas together and adopt a continuous improvement approach.
Creating an identity-first approach to security
Organizations that can consolidate identities and reduce sprawl will take their security beyond traditional controls, and toward what Gartner describes as an "identity fabric." Where practices evolve to bring greater hygiene, hardening, and resilience, while improving overall threat detection and response. This strategic shift involves balancing backend priorities with user experience needs.
For more insights into how to make the right call for your business, tackle fragmented user accounts and access points, and put the right IAM foundations in place, check out this webinar: Identity Sprawl: The New Scourge of IAM.
