Beyond the workforce: Protecting your organization's expanding identity landscape
Discover how to effectively manage and secure your organization's expanding identity landscape.
Identity security is forcing its way to the top of the CISO priority list as 9 in 10 companies experienced an identity-related security incident in the last year. SaaS sprawl and correlating identity sprawl are the popular bogeymen. With the typical enterprise organization now using more than 200 different SaaS applications (on top of other on-premise systems and tools), managing hundreds or thousands of users across hundreds of apps has become a seemingly insurmountable challenge.
But here’s the added wrinkle that doesn’t get as much attention: Security and access management teams aren’t just managing human identities. They’re increasingly juggling multiple types of identity — including non-human identities (NHIs), which research shows outnumber human identities 20-to-1 (with some estimates as high as 92:1).
Moreover, today, they typically rely on point products to manage different identity types across different account types, leaving them to patch the gaps across siloed visibility — and increasing risk in those blind spots.
The four types of internal enterprise identity — and their unique challenges
1. Employee identities
The push for SaaS-enabled productivity and collaboration has driven serious sprawl in employee identities. A survey from 2021 showed that the majority of enterprise users had more than 25 unique user identities (for different apps, systems and tools).
Key challenges managing employee access
Onboarding/offboarding: Organizations race to give new employees access privileges so they can be productive as quickly as possible. However, while role-based access control (RBAC) may be the most efficient approach to access provisioning, security teams need to monitor and manage group permissions to avoid over-privileged access. They also need to include access de-provisioning as an essential part of offboarding protocols to avoid “orphaned” accounts that can leave open doors into the IT estate.
Enforcing least-privilege principles: Most sizable organizations require managers to perform a periodic access certification process to ensure appropriate permissions for their team members. However, current identity and access management technologies don’t provide sufficient visibility into employee access context and utilization. So, this “certification” process has become a check-the-box or rubber-stamp process. One outcome: Microsoft reports that, across the three leading cloud providers (AWS, GCP, Azure), only 1% of all permissions granted are actually being used. Security teams need the ability to comprehensively monitor and evaluate account and permission utilization — across the entire IT estate — to enable a data-driven approach to identifying dormant or unused permissions and enforcing least-privilege principles.
Identifying insider threats: Some of the biggest breaches stem from employees misusing or abusing their legitimate access permissions — intentionally or accidentally. More specifically, organizations are concerned about potential data exfiltration in the period before an employee leaves the company, such as customer lists or other proprietary data. Security teams need fine-grained visibility that gets down to the activity level, so they can identify abnormal user activities and respond before a mistake (or a malicious act) gets out of control.
2. Third-party identities
Organizations increasingly collaborate and rely on partners, vendors, consultants and other third parties. Modern productivity and business applications have made it dramatically easier for these organizations to share (often sensitive or confidential) information. A 2023 report estimated that 1 in 3 security breaches come from third-party identities, and Gartner says 9 in 10 organizations have experienced a breach via a third party in the past five years.
Key challenges managing third-party identities
Compliance and auditing: Compliance with regulations like SOX, GDPR and HIPAA typically demand regular auditing of all third-party access. But in practice, gaining this kind of comprehensive visibility requires an app-by-app audit that takes an enormous amount of time and increases the likelihood of mistakes and oversights.
Enforcing MFA: Today’s technology makes it much more challenging to control external users’ security hygiene. That’s why requiring multi-factor authentication for all users should be a foundational part of every security strategy. But this still leaves the challenge of monitoring for gaps in MFA coverage — and ensuring third-party users have MFA turned on, especially for non-SSO application accounts.
Who has access to what: Productivity and collaboration apps are built to make it fast and easy to share files and assets with other users, including third-party users, keep work moving forward. But it is far from fast or easy for security teams to look at a given file or asset and determine which users have authorized access. Moreover, because most organizations now use several of these productivity and collaboration apps, security teams typically cannot look at a specific third-party user and determine all of the assets they have access to across this ecosystem of SaaS apps.
Offboarding: As with internal users, orphaned or dormant accounts are a common problem. In fact, we’ve seen organizations deploying Oleria discover dormant accounts from vendors they stopped working with years ago. The third-party offboarding challenge goes back to that visibility problem. If security teams can’t see the extent of third-party access, it’s hard to completely and efficiently revoke that access.
3. Non-human identities
The top question we heard in the Oleria booth at Black Hat USA this year: “What about non-human identities?” Non-human identities (NHIs) — which include service accounts, endpoints, workloads, and bot — now outnumber human identities by as much as 50 to 1 in many organizations, and 1 in 3 companies plan to invest in specialized NHI point products in the next 12 months. They’re critical to enabling integrations and automations within the SaaS environment, as well as increasingly popular AI solutions.
Key challenges in securing and managing non-human identities
Credential management: NHIs, such as service accounts, often require static credentials like API keys or certificates. These can be hard to rotate or secure, increasing the risk of credential compromise. In fact, 4 in 5 organizations do not have formal processes for offboarding and revoking API keys. Even fewer have procedures for rotating them.
Risk monitoring & anomaly detection: The automated processes executed by NHIs often run 24/7. Conventional risk monitoring solutions aren’t able to keep up or detect anomalies (like a bot performing unexpected actions) in real time. This can allow problematic activities to go undetected and uncorrected for hours or days.
NHI not covered by legacy tech: NHIs typically exist outside the purview of conventional IAM solutions and other legacy security tech that were built for humans, not robots. Security teams struggle to keep track of the unique needs and permissions of NHIs, particularly as the sheer numbers of NHIs overwhelm them.
4. IoT identities
We’ve likely all heard stats about the number of IoT devices doubling by 2030. These IoT identities typically exist even further outside the scope of traditional identity security technologies, and we’re seeing growing recognition of the risk these connected devices present. This is why we’re also seeing the emergence of new, specialized IoT IAM solutions that add yet another layer to the fragmented identity tech stack in most organizations.
Key challenges with IoT identities
Device onboarding: IoT devices often have limited processing power, limiting the ability to implement stronger authentication methods. This makes strong identity management even more critical, as unsecured, compromised or rogue IoT devices can become entry points for cyberattacks.
Device lifecycle management: Managing updates and security patches is crucial to protecting the connection points between IoT devices and your IT estate. This task is made much more challenging when IT teams do not have reliable visibility into where all of those devices are (and how they connect to the network).
Real-time risk monitoring: Like NHIs, IoT devices are an “always-on” risk factor. This means a small anomaly can go undetected and quickly mushroom into a much bigger risk. Security teams need to be able to not only see all IoT identities, but also monitor IoT identity activity to see signs of risk and respond in real time.
Fragmented identity security and management tools create blind spots
Each of these identity types presents its own challenges, and are sometimes managed by separate teams, so it's no surprise that the market has exploded with point products and hyper-specialized tech focused on one identity or another. Workforce identities may be managed through HR systems, while IoT devices might rely on network management tools, and non-human identities are often tied to DevOps or automation platforms.
This fragmented identity visibility creates several problems for security teams:
- Swivel-chair identity management: This fragmentation makes it difficult for security teams to get a comprehensive view of all identities and their activities. They’re left with the time-intensive burden of jumping between several IAM, IGA, ITDR, ISPM and other point identity and access solutions, and the cumbersome process of managing hundreds or thousands of identities as they evolve in real time. These manual workflows increase the risk of oversights and over-privileged access.
- Lack of context: Siloed access management solutions and identity security point products also don’t go deep enough. Security teams often lack the contextual information to assess whether activity is appropriate or risky. For example, seeing that an API key was used by a non-human identity doesn’t immediately reveal whether the access was legitimate without deeper context, such as what the key is supposed to be doing.
- Tracking incidents across identities: More broadly, the challenge is that identity security risk never lives in a silo — these identities are all part of a hyper-connected IT estate. Attack paths are rarely limited to one type of identity. The fragmentation of identity and access management solutions and siloed identity visibility creates blind spots where risk can gain foothold and expand.
Oleria provides centralized visibility — at depth — across all identity types
We built Oleria to attack fragmented identity visibility at the root. Not just in terms of bridging the gaps between SaaS tools and other systems and platforms. We’re giving security teams a single pane of glass for unified identity management and security across all types of identities.
Streamlining onboarding/offboarding of all identities: Oleria gives security and IT teams one centralized platform for monitoring role-based access policies and group permissions. With Group Utilization, you can easily monitor to spot unused permissions and adjust those RBAC policies to rein in over-privileged access. When employees (or third-party users) stop working with the company, Oleria makes it simple to find access permissions across your IT estate and revoke them with a few clicks.
Enforcing least-privilege principles: I already mentioned how Group Utilization helps with critical visibility to help govern RBAC policies. But Account Utilization brings the same visibility and insights across all identities, including NHIs and IoT identities. Security teams can regularly audit to identify and remove dormant permissions to enforce Zero Trust and least-privilege principles.
Comprehensive risk detection: Oleria layers smart analytics on top of our integrated identity visibility, to surface anomalies and risks that span all types of identity. With Activity Analysis and Risk Monitoring, security teams can spot if a service account from a third-party vendor is showing signs of unusual activity — so they can investigate and respond proactively.
Faster incident response: When an incident does occur, Oleria lets you answer the essential questions of “Who? How? And what?” in seconds. The Access Graph gives an easy-to-understand visualization of which identities can access an asset, and how they have those permissions. But Oleria’s fine-grained visibility to the activity level means security teams can drill down to see exactly what actions an identity has taken within the time period in question, so they can not just track the extent of a breach, but understand exactly what has occurred.
Simplified compliance and auditing: In building the Trustfusion platform, we are doing the hard work of assimilating the various identity and permissions structures of your SaaS, on-premise and cloud systems and tools. This is how we deliver composite identity visibility — but that also gives security teams a central platform to help enforce consistent identity governance policies across all identity types. This simplifies compliance with rising regulatory requirements like SOX, GDPR and HIPAA. It also makes it easier to generate complete audit trails that include all identities in your environment.
Reduced operational burden & cognitive load: Security teams tend to have a “get it done” mindset; they don’t complain that their jobs are hard. But the reality is juggling multiple identity security and access management tools takes unnecessary time and adds significant cognitive load to their daily work. Oleria significantly reduces the time and stress that security teams need to expend to get to the level of visibility and understanding they need. This — above and beyond all the other functional advantages — is perhaps the most immediate value we hear Oleria users talk about.
Fight identity and permission sprawl by reimagining identity security
The identity sprawl and over-permissioning we see today is only accelerating. Organizations are expanding their SaaS ecosystems, deploying new tools in a decentralized model that’s hard for security to keep tabs on. Companies are leaning more on vendors and third parties for specialized expertise. And we’re only at the start of the AI and automation revolution — we’ll see both NHIs and IoT identities grow exponentially in the next five to 10 years.
Security leaders recognize that each of these types of identity sprawl bring their own unique challenges. But the answer isn’t further specialization in point IAM, ITDR, ISPM and related solutions. We’ve already started to go down that path, and we’re seeing how it adds more complexity and presents new risks in the gaps between identity technology silos.
Security leaders need to focus on building integrated, unified visibility and intelligence across all types of identities. This will make centralized identity management possible — making it practical to continuously monitor to enforce least-privilege and identify abnormal activities, and to investigate issues rapidly from one platform, rather than stitching together threads. Ultimately, this consolidated identity visibility is about giving security teams more time (and mental bandwidth) to work on enhancing the business’ security posture, rather than just trying to keep up.