Anyone who has worked in a large-enterprise environment likely has had to manage several accounts, logins, passwords, and multifactor authentication methods. This is due to having to authenticate into various systems and tools across the enterprise environment. This identity and access management (IAM) sprawl causes security and information technology (IT) professionals a lot of headaches.
A recent Axiad survey, involving more than 200 professionals in organizations of more than 2,500 employees, found that nearly 70 percent of security and IT professionals are overwhelmed by authentication system complexity. Some of the survey’s findings highlight the complexity of the modern-enterprise environment when it comes to authentication. These findings include professionals having to use three or more IAM systems, multiple operating systems, three or more authentication methods, and so forth. As one can guess, the complexity of managing these systems, with all those credentials and authentication methods, quickly piles up.
The Cause of IAM Sprawl
Some IAM sprawl is a natural byproduct of the ever-increasing complexity of the modern-enterprise IT environment. This byproduct comes with its own inherent risks and concerns. Notable sources such as the Verizon Data Breach Investigation Report (DBIR) show that compromised credentials are involved in more than half of all data breaches. In the cloud environment, vendors such as GitGuardian have shown that secrets management is a major challenge, with organizations often exposing sensitive credentials unintentionally in sources such as GitHub repositories. So, not only is IAM complex for IT and security professionals, and therefore likely impeding their productivity and performance, but it is also contributing to the risk of the organization and the likelihood of a damaging data breach.
Steps to Alleviate IAM Sprawl
Organizations need to realize the risk of IAM sprawl in terms of productivity as well as potential data breaches and sensitive data disclosure. That said, the news isn’t all bad. There are steps organizations can take to bolster posture against the risk and improve their organization compared to others in the industry on the IAM front.
Some of the primary options include rationalizing IAM systems and consolidating identity providers (IdPs). Many organizations have several IAM systems that store credentials and often don’t communicate well with one another, leading to sprawl. Consolidating IAM systems can help organizations govern their IAM footprint. Organizations should also maximize the use of single sign-on (SSO), which can save practitioners tremendous time since it allows them to no longer need a unique credential for every system they interact with.
Another emerging trend is the move toward passwordless authentication. Traditionally, users needed to memorize passwords for the various systems with which they interact. That was alleviated to some extent with the emergence of password managers, which can help with the generation and use of passwords, but passwordless authentication hopes to go beyond that and try to minimize the use of passwords entirely, instead using other forms of authentication.
Driving down the IAM environment’s complexity should be a major priority for all organizations, especially given the common problem of attracting and retaining technical talent. Failing to adopt all, or at least some, of these recommendations will continue to lead to the problems that plague the industry — complexity and burnout for the IT and cybersecurity professionals dealing with the modern enterprise ecosystem; exposed credentials; and the increased likelihood and malicious actors compromising organizations.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: