Entitlement creep: What you should know about it

January 25, 2021

The risk of identity breaches to global organizations cannot be overstated. Cybercriminals continue to attack organizations across the enterprise and numerous verticals. As noted in the 2020 ForgeRock Consumer Identity Breach Report, unauthorized access (40%) was the number one attack method by cybercriminals in 2020. It’s no wonder there has been a 78% increase in compromised consumer records over the previous year. The point here is clear: organizations are exposing their business to unnecessary risk by allowing employees to have residual access to systems and applications that they no longer need to have access to. They need to evolve their current thinking and approach to better manage and control unauthorized user access.

The silent access challenge: Entitlement creep

Digital transformation, securing the remote workforce and growing regulatory compliance requirements, like SOX, HIPAA, GDPR, and CCPA, are putting global organizations under increasing pressure to achieve compliance – not just annually, but continuously. With so many new types of identities – customers, partners, workforce, citizens, machines, devices, bots’ APIs, applications and microservices – security and IT teams are overwhelmed. Many of today’s identity governance solutions cannot keep up because they are based on manual, human reviews and fulfillment, and as a result, organizations may be blind to potential risks such as growing employee entitlement creep across the enterprise.

An employee’s roles, groups and responsibilities can change dramatically over the course of employment. When these changes are dealt with manually, it is easy to forget to remove some or all access from a previous role. This leads to entitlement creep, where employees gradually accumulate unnecessary permissions over time. As a result, when a user leaves an organization, he or she might have more access than IT knows about, so the user retains access to those overlooked or orphaned accounts.

Organizational blind spots accelerate entitlement creep

Access compliance

Staying compliant requires a lot of effort – especially when people change jobs, work on special projects, or leave an organization. Identity governance helps by automating the work it takes to enforce and demonstrate compliance. By implementing access policies, an organization can be confident that the right people are accessing the right information for the right reasons. Furthermore, it lets you quickly review and certify access for any user at any time.

Whether it is helping to comply with regulations, such as SOX, HIPAA, GDPR, FISMA or CCPA, compliance is foundational to reducing an organization’s security risks. A failed compliance audit or lack of access controls can lead to users accumulating more entitlements or unnecessary permissions over time. This, in turn, can lead to inappropriate access privileges and potentially lead to larger issues, like unauthorized user access or even a data breach.

Operational inefficiencies

Identity governance solutions are meant to automate access requests, approvals and certification reviews. Unfortunately, the reality is that IT and security teams are buried in access requests, approvals and certification reviews. As a result, they can end up manually approving access requests and rubber-stamping access certifications. This results in the overprovisioning of user access privileges – in this case, excessive or unnecessary entitlement assignments. This can lead to unauthorized user access to systems, applications and proprietary business information, like personal identifiable information (PII), business strategies, competitive intelligence or company revenue projections.

Business enablement

Governing user access to applications and systems across an entire enterprise is a critical component to any security strategy. But it often presents one of the greatest challenges faced by security professionals. As employees, contractors or temporary staff join the company, change jobs, take on different assignments or eventually leave the company, organizations must constantly update access entitlements and policies to ensure that users only have access to what they need, while removing access they don’t need.

Many organizations may address this with manual processes executed by different people and different systems. Manual processes offer several barriers:

1. Employees must wait to get the access they need to do their job.

2. Manual processes are more prone to errors.

3. Policies do not cover all needed access types and are often applied haphazardly.

4. Manual processes may be more costly than automated processes.

So, how can a security team prevent entitlement creep at their organization? One answer lies in artificial intelligence (AI)-driven identity analytics. Identity analytics leverage AI and machine learning algorithms to consume and analyze data to map out the user access landscape across an enterprise. By detecting user access patterns – both good and bad – identity analytics can highlight excessive or unnecessary entitlement assignments and over-provisioned user access privileges. In addition, AI-driven identity analytics can automate the removal of high-confidence and low-risk access rights, lowering the risk of unauthorized users access across an organization.

Tim Bedard is Senior Director, Product Marketing at ForgeRock.

In this webinar, we review the rise of cloud access control and access control as a service, its advantages and disadvantages, and how to select the optimal cloud access control solution for your company.

Security leaders need to accept and act on this reality and take measured and thoughtful steps to mitigate the risk and train staff about the growing likelihood of such violent incidents in their facilities and workplaces.