Managing identity sprawl: How to take back control

Image via Unsplash

Organizations today are grappling with identity sprawl. As the enterprise has become more distributed, employees now have access to an ever-increasing number of tools, and they’re setting up accounts in all manner of places.

This is typically being done outside the purview of information technology (IT) teams, so IT lacks full visibility of all the different accounts that employees have created. This is what cybersecurity leaders call identity sprawl. Each one of these accounts is an “identity,” and the IT staff may not have an overview of the data that’s on these various services.

This lack of visibility and oversight opens an organization up to all kinds of security and compliance risks. That’s why organizations need to take back control.

The growth of identity sprawl and its impact

With the rise of cloud and Software as a Service (SaaS)-based services — not to mention the increase in remote work — there are many tools and apps at employees’ disposal. While many are being used with the permission of IT departments, organizations also see what’s often known as “shadow IT,” in which employees and others are using services and creating accounts without necessarily looping in IT. There is no malicious intent here in most cases; they’re just trying to use the tools they want to get their work done.

The proliferation of identities across the enterprise can lead to, at best, inefficiencies and, at worst, security and compliance risks. Phishing attacks provide a good example. If users have multiple, different accounts within a network, this makes it harder for IT and security teams to monitor and manage every single attack.

Bad actors can gain access to systems or applications with credentials they’ve stolen through phishing. It’s also an issue when employees don’t close accounts they no longer need — or when they leave the organization. All of this becomes a problem that compounds if it continues to go unmanaged.

The challenges of taking back control

In the past, it was much easier to control what employees did in the IT space. They sat on the corporate network, and they used the tools the organization supplied them. But now, employees are used to being able to do things themselves — they’ll just download an app and get to work. Further complicating this issue is the fact that many companies don’t realize how big a problem identity sprawl is until there’s a breach or some other problem.

Organizations need to find a balance regarding this. IT teams can limit what employees install, but that’s harder to do efficiently when it comes to cloud apps. Cybersecurity leaders need to decide how much freedom employees should have and what the best approach is for the organization, considering how it needs to function.

Taking back control

To begin the process of taking back control, organizations need an identity and access management strategy that covers which services employees can freely use and what should be blocked and includes controls in place to ensure the most critical systems are protected. Organizations should also have an IT policy (that employees are educated on) that details what services employees can use and how they can use them.

For this to work, IT leaders need to talk to users to make sure IT is enabling the use of the tools they want to work with; this can go a long way toward helping maintain compliance. When employees are clear about why this policy is in place, and when they feel IT is listening to them, they are less likely to participate in shadow IT.

Identity governance and administration (IGA) helps, too. When an organization does have access rights in place, IT can make it easy for employees to know which tools they need and to be able to register them in a request portal.

To get these systems under control, cybersecurity teams need visibility and integration with IGA. Cybersecurity should also have control over removing apps and/or access when people don’t need them anymore (or when they’ve left the organization).

IGA that can help with onboarding applications easily makes it simpler for the business and IT to add new “approved” applications. This is going to improve visibility and help you gain control — and at the same time, it will speed up the process of getting employees access to the tools they need to do their work efficiently.

Help is on the way

The work-from-anywhere phenomenon, like almost everything, has its advantages and disadvantages. One major disadvantage is that as employees have moved outside the traditional network perimeter and far away from the IT department, they have learned to be more self-reliant. That sounds like a good thing — except it often means employees bypass identity protocols so they can use apps they are comfortable and familiar with.

This has created identity sprawl that develops into a security challenge. Who has access to what becomes important when an attack is in progress, for instance. But good policies, employee training and consistent IGA will help organizations overcome identity sprawl for a safer and more compliant organization.

Anna Nordström is Senior Product Manager at Omada.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

Managing identity sprawl: How to take back control