Change Job

NewEmployee

RequestPremission

Identity Life Cycle Management Evolved Streamline and Secure your Identity Life Cycle Management with AI and Intelligent Automation

2Identity Life Cycle Management Evolved

Organizations run on their applications. Every day, we use Microsoft, Google, Salesforce, AWS, and a long list of products and services for collaboration and productivity.

The typical organization with over 1,000 employees uses over 288 apps, each with its own permission model that must be navigated. This process of managing diverse permissions can consume significant amounts of valuable time and resources. All of which could be spent more productively on other tasks for the business.

Striking a balance between security and productivity is difficult, especially at scale, where IT and Security teams struggle to keep up with the influx of permissions requests. A survey of companies found that it takes an average of 13 days for new employees to receive access to their applications.

The good news is that more organizations are starting to leverage automation and Machine Learning to make data-driven Identity Governance and Administration decisions faster and more efficiently.

To understand how technology is impacting the process, it is helpful to explore why this process is such a challenge for many organizations.

Challenges to Identity and Authorization Management

Applying the Principle of Right Privilege to the JML Lifecycle

Modernizing the Identity Governance and Administration Process

Authomize — The Intelligent Prescriptive Analytics Engine

43%of IT teams mention that manual permissions processes will be a challenge for them in 2020

56%of IT executives still rely on internal tools and manual spreadsheets to manage SaaS applications

Introduction

In this paper we'll discuss

3Identity Life Cycle Management Evolved

Challenges to Identity and Authorization Management

As work has shifted from a place that you go to something that you can do from anywhere, legacy approaches to access and security have shifted significantly. It is no longer enough to be inside your firewall. Your applications have to be accessible to you wherever you are. There are a couple of factors that are complicating how we manage access to our applications.

As more organizations undergo digital transformations from on-premises to SaaS and the rest of the XaaS alphabet soup, they are increasingly relying on access controls based on identity over legacy practices that depended on being located within the local network.

For each application that a user has, they require a new individual identity for that account. With each user’s collection of identities growing exponentially (both for human and non-human identities) and the task of managing them becomes increasingly difficult.

Given the dynamic nature of identities, spinning them up and down as needed, how are organizations thinking about addressing the challenge of managing their permissions

At the core of the permission challenge is an ongoing tension over how much access is the right amount to grant, given the potential for risk.

There is always a tension between IT operations and Security. If you grant too much access to too many people, then you raise your risk of data breach. On the flip side, if you lock it down to an extreme degree, then work becomes unfeasible since nobody can access the applications that they need to do their job. Striking the right balance is difficult to achieve, and is costly in terms of time and resources needed to manage this process.

The task of figuring out who needs to receive permission to access which apps falls on the IT and security teams. These departments receive massive amounts of requests from various departments within the organization. They then have to go through the process of figuring out not only if the person making the request should be approved or denied, but also who needs to be consulted to sign off on it.

In some organizations, they face the challenge of “rubber stamps” wherein employees are simply granted permissions without undergoing any real confirmation that they should indeed have that access. Far too often, these decisions are based on a hunch, and not real data. This is understandably a security risk as it can lead to both privilege creep for that employee as well as permission sprawl across the organization.

When the number of permissions begins to exceed the required amount by the organization, it creates a Permission Gap that can unnecessarily raise the level of risk. This number of excessive permissions can grow over time, significantly expanding the organization’s threat surface.

Permission Gap

From a management perspective, CISOs lack the visibility and control necessary to ensure that their permission policies are being enforced. This is because most of the heavy lifting of those granular permission management tasks for the end users are being handled by their enterprise’s widely distributed IT teams. Without the tools to set the policy, enforce guardrails, and attain visibility across their organization, CISOs lack the necessary control to contend with the risks associated with the distributed management of end user privileges.

The second challenge here is that not only are these rubber stamp organizations flouting the Principle of Least Privilege, but they are also likely not granting the right amount of privilege.

Perm

issi

ons

acr

oss

all

ap

ps

Identity created

The exact permissionneeded

Excessivepermissions

Permissions gap

4Identity Life Cycle Management Evolved

Joiner-Mover-Leaver (JML) Lifecycle events like onboarding, offboarding, or transferring to new roles or departments, adding new applications, and of course when an employee leaves the company, will all require additional and specific approvals and revocations of their access.

There is a tendency among a lot of organizations to simply use a “model after” approach where new employees are provided with the permissions that are granted to others in similar roles in their departments. The problem here is that no two employees are likely to really be exactly alike, so their permission profiles should not be either. Granting one the same permissions as another can easily lead to permission creep for employees, creating a situation that is all risk and very little reward.

Perhaps they are working on different projects and therefore need to use different applications, albeit with a fair amount of crossover. In some cases, an employee may find him or herself with access to the application that they requested, but in fact need a higher level of permission to do his or her job. The inverse is true as well, where the person’s access should be lower than it is for a given app. Each case needs to be examined on its own merits and decisions taken accordingly. However, as we know, time is a limited resource and in larger organizations these review tasks can mount up fast.

For example, it can take an average of 45 minutes to perform an individual employee access review. And this is not a one time effort. Research shows an average of 5.5 user access changes are performed every year, so managing this process manually is hardly an ideal option.

When it comes time for an employee to leave the organization, aka offboarding, we need to make sure that they are not creating, intentionally or unintentionally, exposure for the organization.

Not leaving orphan accounts, especially those created for external individuals is another essential checklist item for good privilege security hygiene. Because they exist outside of the HR visibility system, there is a good chance that they can fly under the radar.

While monitoring for suspicious activity like downloading documents is probably already on the checklist, it is also important to ensure that they are not sharing access to work-related assets with their personal accounts. Keeping track of who has access to what, again at scale, is sysaphean at best, while failing to do so can be seriously detrimental at worst.

Thankfully, we are starting to see the increased adoption of machine learning and Automation technologies in the industry, providing these overworked teams a powerful tool to manage their workload more effectively.

Applying the Principle of Right Privilege to the JML Lifecycle

$104is the total cost of ownership (TCO) per support ticket

5.5User access changes per year

We suggest....

... Which will... ... Because...

5Identity Life Cycle Management Evolved

Given the scale of approvals that need to be reviewed at every stage of the Identity Lifecycle, organizations have an imperative to seek out ways to automate and manage their identities and permissions more efficiently.

By harnessing the power of machine learning, organizations are able to learn more about which types of employees should have which types of permissions. This in turn allows them to prescribe which kinds of access an employee should have, even before they make their request.

For instance, if Lisa joins the Marketing team, then an ML algorithm should be able to suggest which types of permissions people in her department with her type of role should have. We can assume that most of these applications will not require additional approvals because they are fairly standard, with apps like Hubspot, Gmail, and Salesforece coming to mind.

But for those cases where it might be necessary for an admin or other kind of app owner to sign off on Lisa’s access, the ML algorithm can probably suggest who that approver is since they have been the one to grant the permission in the past.

Modernizing the Identity Governance and Administration Process

“By 2022, more than 50% of Identity Governance and Administration vendors will offer predictive, anticipatory autonomous governance engines supercharged by ML and AI identity analytics for mitigating identity risk more efficiently.”

By simply learning about the types of roles within Lisa’s organization and drilling down who needs and approves which kinds of permissions, her IT and Security departments can significantly reduce the amount of time and resources that would normally go into tracking everything through the process.

It is through this combination of ML with automation that Authomize has built the next generation of IGA solutions for the enterprise.

6Identity Life Cycle Management Evolved

Authomize — The Intelligent Prescriptive Analytics Engine

Our solution automates permission policies by first integrating with all of the SaaS apps, infrastructures, identity management providers, and even home-grown apps. We then integrate into your ITSM solution (Jira, ServiceNow, and many more) to deliver contextual, data-based recommendations that improve your identity lifecycle process.

We do this by analyzing who in your organization requires which permissions in order to do their job effectively. This entails taking into account their roles and responsibilities; understanding which permissions correspond to their needs; how they use the apps and how it correlates to other users; the organization’s permission hierarchy; as well as the group assignment structure. We then perform this analysis cross-application, offering the best recommendations possible.

In order to keep up with the dynamic and highly distributed nature of the enterprise environment, Authomize replaces the legacy periodic audit with continuous scanning of end user privileges. By collecting a significantly wider spectrum of data, Authomize’s Machine Learning engine is able to produce up-to-date, data-driven recommendations at a scale and pace that the large scale of the enterprise demands.

Our algorithm then recommends not only who should be approved or denied access, but also provides recommendations to help us understand if our team members have the right amount of access.

This approach helps answer questions such as if Lisa needs permissions to more applications than she currently has, a higher level of privileges within specific applications, and even who is the admin or app owner that can sign off on her approvals.

Permissions Request Workflow Use CasesIn many cases, our intimate comprehension of how your organization ticks can help to eliminate the need for those human-made requests and approvals, fully automating the process from end-to-end with actionable recommendations.

We can visualize this automation in practice with a couple of common JML workflow examples. Meet Ben, a developer at ACME. When Ben makes his request for access to the GCP dev Bucket, Authomize is able to identify that he is a member of the dev team and should be added to the Dev group that has access. Since he meets the necessary requirements, this is an easy call that can be resolved with an automated approval recommendation.

Fully Automated Permission Request and Approval

Multiple Stakeholders Approval Required

In another instance, if Ben has changed roles within the organization, then his request might call for some additional scrutiny. Here Authomize is able to identify that this is a case and is able to save Ben’s IT team time that would otherwise be spent tracking down the multiple stakeholders who have to sign off on his approval.

This allows teams to direct more of their focus to those requests that truly require that extra human handling for more sensitive approvals. There are many other instances throughout the JML lifecycle that are ripe for automation and time savings, including recertification as a prime example.

We believe that your time is better spent on tasks other than manually tracking down or waiting on approval requests

Ben MacDougal 2:10pm

I need access to GCP dev Bucket

Jira/ServiceNow…[ITSM] 2:10pm

We recommend to grant permission by adding to Dev group

Ben MacDougal 2:10pm

I need access to GCP dev Bucket

JackApplication owner

KelleDirect manager

Jira/ServiceNow…[ITSM] 2:10pm

We recommend to grant Ben access by adding him to the Dev group, due to him being a member of Kelle's team

We recommend to approve this access request with Jake and Kelle because he's not part of any team that should have access to this resource

7Identity Life Cycle Management Evolved

Onboarding

Authomize streamlines the process of bringing on a new employee, dramatically reducing the amount of definitions and preparations required for getting them up and running on their first day. We take a different tact from the “model after” method. Taking a more nuanced and exacting approach, Authomize looks at the permissions that other team members receive, but pulls data about that employee’s specific role and cross application entitlements to create recommendations for their personalized permissions.

App owner

Viewer

Marketing role

Viewer

Editor

Editor

AdminAdminEditor

Viewer

Member

Editor

Editor

Admin

Offboarding

Any and all access points that they may have with the organization need to be severed. Beyond deleting their account, it is necessary to revoke access to their identities that may exist through APIs, certifications, or other methods.

However, by constantly monitoring all of an employee’s permissions throughout their time at the organization, Authomize automatically maps out the employee’s access points. So when it comes time to revoke access when a person leaves the organization, the IT team has a ready checklist to work with.

Viewer

Viewer

Member

Viewer

Editor

Member

Viewer

Admin

Editor

App owner

0241548

Instantly revoke permissions across all apps and systems

Monitor separating employee activities and identify risky actions in the past 30 days (e.g. file sharing)

Pinpoint and revoke API-based identities, key token applications and more...

Detect orphaned accounts and transfer ownership to secure accounts

Fully automate the onboarding process for new employees

Avoid granting excessive permissions from day one

Grant accurate permissions rather than using model after technique

About AuthomizeAuthomize enables organizations to manage and secure complex and vastly different applications across hybrid environments. Our intelligent Prescriptive Analytics engine helps IT and Security teams flawlessly automate operations around authorizations to prevent permission sprawl, maximize productivity, and simplify identity lifecycle management.

REQUEST A FREE ASSESSMENT REPORT

© 2020 Authomize. All rights reserved. 8Identity Life Cycle Management Evolved

Monitoring and managing each certification campaign

Setting up certification campaigns

RecertificationRecertification is a regulatory necessity that consumes way more time than it needs to when it rolls around. Going through the process of confirming that team members have the permissions that fit their role (no more, no less) eats up IT resources as they run through their list, checking certs and marking off boxes.

Authomize helps to shorten and simplify this process because we are continuously verifying certifications. We can then recommend who the stakeholders are that need to sign off on permissions and provide them with a full picture of relevant data to help drive their decision making, helping IT & Security teams to reach the finish line faster.

For IT and Security teams, more automation translates into less time spent processing and more time to tackle the productive tasks that better serve the organization. No more trusting your hunches and hoping for the best required.

Reviewer's status for approving permissions

Certification campaign for files accessed by external identities