Even the best security solutions (monitoring through the most advanced technology available) are hard-pressed to cover an attack surface afflicted by identity sprawl. Identity sprawl, the proliferation of multiple distinct identities used to access online services, can quick worsen into a widescale issue.
In this blog, we will learn to recognize the symptoms of encroaching identity sprawl, how to mitigate and overcome it, and how you prevent it from ever emerging again at your organization.
Recognizing Emergent Identity Sprawl
Whether your enterprise is actively suffering from identity sprawl or just starting to become aware, the symptoms remain a constant. Randall Fields, Simeio Vice President, has a simple rule of thumb for determining if identity sprawl has taken hold. “Sprawl occurs when the number of identities outnumbers the actual physical people that work at an enterprise by a factor of 1.5 or more. Monitoring this ratio month over month is a vital KPI for your IAM governance program.” Given the sheer number of applications used by many employees daily, the multiple sources of truth within an organization, and lack of a single identity mandate, this threshold is easily crossed.
The most common threat presented by identity sprawl is insufficient controls across a large attack surface. Lack of scalability within the organization is the usual culprit. These sprawling identities cost customers time, companies revenue, and erode security. Hacking methods, including credential stuffing and phishing, can become woefully exacerbated by identity sprawl as many users reuse usernames and passwords across multiple services. If one identity is compromised, others may soon follow.
The rise of cloud computing and wide scale work from home policies introduce further complexities to the problem of identity sprawl. Employees and even whole departments often choose to download apps of their own choosing to perform their tasks without notifying IT. This can and does create substantial gaps in governance. It also opens the door to efficiency loss when trying to network with employees using different programs. On top of the already bloated identities within the poorly governed enterprise, the exacerbation of these private identities for company work results in a motley identity fabric.
Fighting Identity Sprawl
Once you recognize the symptoms within your organization and have the motivation to combat it, you must commit to the fight against identity sprawl. Your employee culture must incorporate good identity hygiene if you are to combat sprawl. This means educating users on proper identity etiquette. Teach them to be mindful of how many identities they create and how best to manage them. Beyond identity sprawl, this practice can boost other areas of your cybersecurity posture as part of your larger Identity Threat Detection & Response (ITAR) initiative.
You can also bring on appropriate tools to help scale your enterprise and halt identity sprawl. A good IGA managed services solution should be at the top of your list, as it provides you with a scalable program providing control across your whole identity fabric. Similarly, real-time monitoring of employee activity provides an immediate view on potential policy violations. These can be tagged for remediation by automatic detection programs. Likewise, SSO counters sprawl by consolidating identities into a single username. Besides cutting down on identities, SSO can also provision a library of IT-approved applications. This limits the need for private application downloads.
Also, pay heed to the rise of machine identity sprawl. Ultimately, though machine identities are a new frontier, they have the same impact and costs as other identities. A good ITAM process or CMDB tool can go a long way. These programs restrain unchecked machine identity growth without hampering their effectiveness. However, if your enterprise does not have good asset management systems in place, machine identities can be difficult to control.
Preventing Relapse Through Futureproofing
The good news is that, if you have successfully implemented the tools and changes above, you have the means to prevent future sprawl at your fingertips. Employee awareness, strong IGA, and good machine identity management are the building blocks of good identity governance. However, you must guard against your old enemy: complacency.
You need to stay vigilant against new applications or services bloating your users’ identities once again. Make sure you stay on top of integrating applications into your SSO solution. Better yet, have plug-ins built that makes them part of your systems. A managed identity service can help you keep track of your identities and their integration. Depending on the service selected, you can also monitor and streamline application and plug-in onboarding. For example, the Simeio identity orchestrator provides end-to-end service of precisely this sort.
Above all else, make sure that scalable governance is at the heart of your identity fabric. Without proper control you leave your enterprise open to inefficiency at best and vulnerability at worst. But with a strong governance solution, backed up by a robust policy, you’ll finally be able to rest easy, knowing that you’ve stopped the sprawl.
