And the survey says….”Good ol’ Fashioned IAM is Just Too Risky!”

 We’ve all been there – you’ve been doing something the same way for years and it seems to be going well. You’re in a groove and everything happens like clockwork. You know exactly what you’re doing and the results are predictable. You’re a well-oiled machine – or are you? Maybe you’re actually stuck in a rut, a dangerous rut!

Nowhere is this truer than in the world of identity and access management (IAM).

One Identity just completed a global survey of more than 900 IT-security professionals asking a wide range of questions about their IAM practices, technologies and worries. One data point that jumped out over and over again as we analyzed the data was that old-fashioned IAM processes (specifically the processes surrounding deprovisioning dormant accounts) cause chaos. And chaos equals risk.

Let’s look at some of the survey highlights (or maybe we should say lowlights):

  • When asked if their organization has dormant user accounts, which as we all know can present dangerous open doors into an enterprise, a whopping 87% answered yes.
  • Of those that know they have dormant accounts, only a third actually knew which accounts they were.
  • 71% expressed concern about dormant accounts.
  • Only 19% have IAM tools to help identify dormant accounts

So what does that tell me? First it screams that the deprovisioning processes is broken at most organizations. Dormant accounts are most often the result of a terminated or reassigned employee whose access wasn’t revoked– a deprovisioning failure at its finest.

When asked about their deprovisioning processes:

  • Less than a third expressed a high level of confidence that they were properly (i.e. fully and quickly) deprovisioned.
  • Only 14% automatically deprovision users upon status change.
  • And the majority – 65% – require IT intervention to execute the deprovisioning process.

So how does this come back around to old fashioned IAM practices?

Consider the way provisioning and deprovisioning have been done historically. A line-of-business person hires (or fires) someone and then has to track down all the different people in IT that have the permissions and know-how to set up (or delete) the accounts for the user. It’s a highly manual process and one that is not at the top of your typical IT pro’s list of priorities. So this pro gets around to deprovisioning tasks when they can. Or the line-of-business guy doesn’t remember everywhere that the user has access so doesn’t even request the account termination of every system. And what do you end up with? A dormant account that no one knows is there, and credentials that a bad guy would love to get his hands on and exploit. And the situation only gets worse as you add cloud-based systems to the enterprise, and new accounts with new IT teams to work on them.

But, there is hope. The right approach to IAM – one that puts the business in charge, automatically takes action upon change in status, doesn’t rely on IT intervention for stuff to happen, and has a very clear concept of user rights and permissions virtually eliminates the problem.

To take a deeper dive into the data and see how you compare, get a copy of our survey report.

Anonymous