Virtual lock on laptop showing access governance and access management

Organizations Need More Than Workflow-Based Access Governance to Keep Organizations Safe

The number one cybersecurity threat vector is unauthorized access via unused, expired, or otherwise compromised access credentials. Estimates show that over 95 percent of cyberattacks begin with a threat actor gaining unauthorized access to a computer system via poorly managed access credentials.

Organizations adopt one or more of the following pillars to gate access:

  1. Some kind of onboarding system for users – an identity system
  2. A workflow-based system, also known as a ticket-based system, is a digital version of the old paper-based systems. Sometimes parts of the system have been automized to keep up with increasing demand.
  3. Organizations have purchased Security Information and Event Management (SIEM) or observability tools, which are supposed to spit out intelligent and actionable observations. However, the overwhelming output leads to alert fatigue, and prioritization becomes a considerable problem.

Most organizations have either one or all of these pillars. One problem with this approach is that none of these measures are designed to handle the growing challenge of managing access privilege. Another problem is that SIEM or observability systems are asynchronous which lack user context, and without context, it’s impossible to determine the user’s intent: who is this user? What does she want? What is her footprint inside the organization? Once established, the context can be matched with the user’s other activities, company mandates, policies, and regulations. Finally, you can give the user access to a specific area.

Organizations face the dual challenge of streamlining their security operations while responding to increasing user access requests. At the same time, they must preserve company resources and ensure no malicious access requests slide unnoticed into the computer system.

IT admins manage the flood of repeated access requests by users by providing certain users with elevated levels of access. They did so to ease the workflow for both users and admins. This practice has faded in recent years as every user is now privileged because cross-platform work requires this type of access.

Interconnectedness – everyone is a privileged user in today’s work environment

Today’s professional environments have a higher degree of interconnectedness between platforms, vendors, systems, and users than we have ever encountered before. The result is that admins find themselves flooded with frequent access requests.

Many workflow-based access management solutions rely on a ticket-based structure that mirrors the paper-based system used years ago. These systems are easily automated – perhaps one reason they remain popular – but automation is not the best solution to access management problems.

Ticket-based systems provide a way to address access requests in a structured manner because users follow a “request access” path as part of their workflow. Once access is requested, it’s either granted or denied based on company policy. Once the particular task is completed, access is revoked from the user’s profile, eliminating the common problem of persistent privileges.

As demand grew, solutions extended further to cater to expanding security policies and enabled the creation of workflow policies and grouping policies to provide more context behind access.

Here’s an example: one policy determines the specific entitlements that an engineering team needs. Another policy defines the need to gate critical sensitive data assets and resources, establishing that they can not be modified regardless of elevated user privileges.

Workflow solutions are adapted from their IT origins to fit the security needs to process the security requests in a structured way. However, they leave a significant gap when governing several dynamic attributes simultaneously (fig. 1).

A modern access management system should handle the following:

  • The sprawl of user personas and activities, i.e., different personas of users needing different tiers of privileges, is growing at the same rate as the infrastructure proliferation.
  • The traditional Role-Based Access control (RBAC) provides perpetual access based on the user’s roles – a methodology that has run its course. Even with the addition of zero-trust-based access on a granular level, RBAC no longer measures up.
  • Today’s enterprise users wear multiple hats and use different software with varying privileges. The nature of these privileges has to be dynamic, or the access management system becomes a bottleneck.
  • A user with a specific level of access may need to temporarily elevate her privilege because she needs access to protected data to complete a task. Scaling workflow-based systems to match larger teams’ needs is difficult without creating a chaotic situation with massive users simultaneously bombarding the security admins for approval.

Access privileges are the newest attack surface.

From a cybersecurity standpoint, processing a high volume of dynamic and changeable user entitlement requests through workflow-based solutions that rely on company rules and policies is dangerous. It’s a method that creates chaos and increases the potential for undetected malicious access requests to get into the system.

Some access monitoring solutions rely heavily on automated access controls, such as group policies, or other sets of criteria, that will allow access requests to be processed automatically. Automation lacks the intelligence to adapt to changing user behaviors and entitlements, so automation creates a high risk of exacerbating approvals of wrong access – it’s a shortcut to creating vulnerable backdoors within the system.

Manual or automated approvals don’t address the critical context-based gating needed, and mere validation of static policy groupings or rules doesn’t meet accurate access governance requirements.

Let’s look at an example: Amazon’s S3 bucket or Azure has more than 100 privileges, and established workflows make it easy to send requests, but it is humanly impossible for the downstream IT folks even to begin to comprehend the request, so often they hit “approve” because they have another 1,000 requests in the queue for approval.

Cloning of group access policies is a common practice in some organizations. It requires validation of the context behind each access request. Without context, groups are often cloned for unmanageable use in other parts of the organization.

Coupling groups and policies with a ticketing workflow system address productivity concerns but gloss over the critical context measures behind access: who accesses what, when, and why?

Highly interconnected work environments require better monitoring

In today’s corporate environment, everyone has become a privileged user accustomed to quick access and swift responses generated in seconds across platforms, vendors, and many different systems.

At the same time as organizations are streamlining the access process, they also must keep tight budgets and comply with cybersecurity regulations and requirements. A rigid and rule-bound access management system is no longer sufficient for companies that want to maintain a competitive edge.