Your users migrating to the cloud or shifting to remote work models are dealing with a new challenge: identity sprawl. In One Identity’s survey conducted September 2021 polling 1,009 IT security stakeholders, 84 percent of respondents said that the number of identities managed within their organization had doubled or more in the last ten years. Furthermore, another 11 percent said that they had increased, but at a lower rate, in that same period. The challenge appears common across the board. Survey respondents belonged to a wide variety of industries in several countries, including the U.S. and Canada.
How Businesses Are Responding
To manage this increasing number of digital identities, companies have turned to an almost equally growing number of systems that control access rights. One-third of all respondents said that their organization used anywhere from 25 to 100 systems that manage access rights, such as IAM and PAM systems, Active Directory, and the username and password accounts of SaaS applications. Furthermore, 21 percent said that their organization utilized more than 100 identity systems.
These staggering numbers of applications create difficulties for security professionals. One-fourth of respondents said that their identity and access systems were unable to integrate with their SaaS applications, while half said that it was a challenge to manage the different administrative models that their various systems utilized.
The Risk from Digital Identities
More than causing management headaches, these overwhelming numbers of identities and systems can create real cybersecurity threats for organizations. Half of the respondents stated that, because of the number of separate applications that their companies use, they lack any visibility as to which users are able to access which systems and who is using which parts of the network. Likewise, one-third of respondents said they lacked visibility as to who had access to privileged systems and information in their organizations.
Additionally, 85 percent said that, to their knowledge, employees within their organizations have been given privileged rights beyond what is necessary for the scope of their jobs. Bad actors seeking a foothold into targeted organizations may target these employees, who have privileged access they do not need and exploit that access for their own gains. Several high-profile attacks, such as those against Colonial Pipeline and SolarWinds, used such tactics.
Survey respondents showed some hesitation regarding their and their organization’s ability to defend against credential-based attacks that occur when the attackers steal organization credentials to gain access and bypass an organization’s regular security measures. Only 12 percent of the responding security professionals were fully confident that they could prevent such an attack. The majority of responders – 69 percent – were somewhat confident in their abilities, but 2 percent had no confidence at all.
Two-thirds of respondents are most concerned about ransomware attacks, and half of those surveyed state that their organization is most worried about phishing attacks. Credential-based attacks, as discussed prior, are the greatest concern of only a quarter of the survey responders.
When asked how their organizations could streamline processes, almost two-thirds of respondents believed they would benefit from a unified platform for access and digital identity management. In addition, half said that they would like end-to-end unification of their organization’s identities and accounts.
For the sake of organizational security, the goal should be to move towards reining in identity sprawl and unifying digital identity and access management systems.