Good lifecycle management can make managing identities and access more efficient, streamline regulatory compliance processes, ensure that employees have access to the resources they need and help organizations move toward zero trust.
As significant as the benefits of good lifecycle management are, the risks resulting from bad lifecycle management are even more compelling. Organizations that fail to institute good lifecycle management practices risk opening the door to credentials-based attacks with potentially devastating consequences.
With more employees than ever leaving roles, onboarding or changing their positions with an organization, the Great Resignation is likely to exacerbate these consequences, underscoring the urgent need for lifecycle management. Here’s a look at the dangers organizations should be concerned about and what they can do to minimize governance and lifecycle risks:
Users leave their roles—and leave risk behind.
Poor lifecycle management can lead to ungoverned accounts (including service accounts, inactive accounts, orphaned accounts and overly entitled accounts) that security teams don’t monitor—and may not even be aware of. This lack of visibility into accounts increases risk by expanding the attack surface that is available to threat actors.
Improving lifecycle management reduces risk by providing constant visibility into who users are, what they have access to, what they’re doing with that access, why they need it and—perhaps most critically—when their access ends or changes. It enables security teams to see what to protect, what legitimate baseline activity looks like, who the legitimate users are (or aren’t) and when it’s time to remove an account because it’s no longer in active use.
An inactive account is an easy way for hackers to infiltrate your operations.
With no one monitoring accounts that aren’t in active use, a potential intruder can spend an unlimited amount of time looking for such an account and figuring out how to hack into it. Once that happens, there’s no limit to the harm that can ensue; it just depends on how long the hacker can work undetected and how much access the compromised account offers them.
More often than not, these breaches give cybercriminals ample time and opportunities. IBM found that that breaches caused by stolen credentials took the better part of a year to be contained, on average. And if you’re looking for a worst case example of what a threat actor can do in that time, remember that the Colonial Pipeline ransomware started when a hacker breached the company’s network through a VPN account that was no longer in use—and also unprotected by multi-factor authentication.
It’s not only outsiders that present a threat when it comes to inactive accounts. A user who leaves an organization on bad terms, for example, can wreak havoc by using their credentials to continue to access sensitive information or resources indefinitely—or at least until the security team becomes aware of the problem. And if an account is not regularly monitored or otherwise governed, that can be a long time.
The dangers of forgotten accounts—and the value of lifecycle management.
Implementing regular, disciplined lifecycle management is more challenging than it’s ever been; people have access to more resources than ever and their access is constantly changing. And that’s before accounting for broader shifts, like the added challenge of managing access for a workforce that suddenly went 100% remote a couple of years ago—and that is now experiencing a mass exodus the likes of which we’ve never seen. In these circumstances, it’s tough to keep up with activities like reviewing access privileges, assigning and managing rights, tracking access activity and ending access in a timely manner when someone leaves or has a change in their role.
To keep pace with the rate of access changes today, it’s important not only to adopt lifecycle management, but also to look for solutions that automate the processes associated with access reviews and other lifecycle management activities. It’s even better when automated lifecycle management activities are part of a zero trust approach to security in which trust in the user’s identity and access privileges are never assumed. The visibility into access that good lifecycle management provides is essential to moving an organization toward zero trust.
Poor lifecycle management can have disastrous consequences, but effective lifecycle management can help organizations avert the worst outcomes and realize new benefits.
# # #
Learn what to look for in a solution and how SecurID Governance & Lifecycle can help.