Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical SecuritySecurity & Business Resilience

Managing identity sprawl: How to take back control

By Anna Nordström
employee using computer

Image via Unsplash

January 11, 2023

Organizations today are grappling with identity sprawl. As the enterprise has become more distributed, employees now have access to an ever-increasing number of tools, and they’re setting up accounts in all manner of places.

This is typically being done outside the purview of information technology (IT) teams, so IT lacks full visibility of all the different accounts that employees have created. This is what cybersecurity leaders call identity sprawl. Each one of these accounts is an “identity,” and the IT staff may not have an overview of the data that’s on these various services.

This lack of visibility and oversight opens an organization up to all kinds of security and compliance risks. That’s why organizations need to take back control.

The growth of identity sprawl and its impact

With the rise of cloud and Software as a Service (SaaS)-based services — not to mention the increase in remote work — there are many tools and apps at employees’ disposal. While many are being used with the permission of IT departments, organizations also see what’s often known as “shadow IT,” in which employees and others are using services and creating accounts without necessarily looping in IT. There is no malicious intent here in most cases; they’re just trying to use the tools they want to get their work done.

The proliferation of identities across the enterprise can lead to, at best, inefficiencies and, at worst, security and compliance risks. Phishing attacks provide a good example. If users have multiple, different accounts within a network, this makes it harder for IT and security teams to monitor and manage every single attack.

Bad actors can gain access to systems or applications with credentials they’ve stolen through phishing. It’s also an issue when employees don’t close accounts they no longer need — or when they leave the organization. All of this becomes a problem that compounds if it continues to go unmanaged.

The challenges of taking back control

In the past, it was much easier to control what employees did in the IT space. They sat on the corporate network, and they used the tools the organization supplied them. But now, employees are used to being able to do things themselves — they’ll just download an app and get to work. Further complicating this issue is the fact that many companies don’t realize how big a problem identity sprawl is until there’s a breach or some other problem.

Organizations need to find a balance regarding this. IT teams can limit what employees install, but that’s harder to do efficiently when it comes to cloud apps. Cybersecurity leaders need to decide how much freedom employees should have and what the best approach is for the organization, considering how it needs to function.

Taking back control

To begin the process of taking back control, organizations need an identity and access management strategy that covers which services employees can freely use and what should be blocked and includes controls in place to ensure the most critical systems are protected. Organizations should also have an IT policy (that employees are educated on) that details what services employees can use and how they can use them.

For this to work, IT leaders need to talk to users to make sure IT is enabling the use of the tools they want to work with; this can go a long way toward helping maintain compliance. When employees are clear about why this policy is in place, and when they feel IT is listening to them, they are less likely to participate in shadow IT.

Identity governance and administration (IGA) helps, too. When an organization does have access rights in place, IT can make it easy for employees to know which tools they need and to be able to register them in a request portal.

To get these systems under control, cybersecurity teams need visibility and integration with IGA. Cybersecurity should also have control over removing apps and/or access when people don’t need them anymore (or when they’ve left the organization).

IGA that can help with onboarding applications easily makes it simpler for the business and IT to add new “approved” applications. This is going to improve visibility and help you gain control — and at the same time, it will speed up the process of getting employees access to the tools they need to do their work efficiently.

Help is on the way

The work-from-anywhere phenomenon, like almost everything, has its advantages and disadvantages. One major disadvantage is that as employees have moved outside the traditional network perimeter and far away from the IT department, they have learned to be more self-reliant. That sounds like a good thing — except it often means employees bypass identity protocols so they can use apps they are comfortable and familiar with.

This has created identity sprawl that develops into a security challenge. Who has access to what becomes important when an attack is in progress, for instance. But good policies, employee training and consistent IGA will help organizations overcome identity sprawl for a safer and more compliant organization. 

KEYWORDS: cyber security initiatives governance IAM systems identity (ID) management software as a service work from home

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Anna Nordström is Senior Product Manager at Omada.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SaaS-security-freepik

    Why security leaders are concerned about the SaaS sprawl, and how to get a grip on it

    See More
  • cyber security network

    The three challenges of network tool sprawl and how to solve them

    See More
  • online conference

    Identity management conference to take place April 12

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

  • Hospitality-Security.gif

    Hospitality Security: Managing Security in Today's Hotel, Lodging, Entertainment, and Tourism Environment

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing