Three Reasons It’s So Difficult to Achieve and Maintain Least Privilege

If you read our last blog post about the user experience in IAM and how to balance ease, security, and productivity, you got a good look at how permissions management can impose challenges on end users, impacting its adoption across the organization. That’s also true of Security and IT teams. The plain fact is that planning for, implementing, maintaining, and optimizing permissions management can take an operational toll on the very Security and IT teams tasked with its success.

That’s because traditional permissions management can be complex and difficult to implement, requiring significant investments in people, processes, and technology. The maintenance and management of IAM systems can be time-consuming and resource-intensive, requiring ongoing attention and support from security teams.

This blog post delves into three specific challenges and what you can do about them to minimize operational overhead. Let’s dive in!

Challenge #1: Lack of Context & Visibility

In small startups with fewer than 100 employees, where you know everyone and the infrastructure is small, it’s easy to figure out who is the requester and what access they should have. But the more your company grows, you end up not knowing all the requesters, and you don’t know if they should or shouldn’t get the permissions that they ask for.

Also, security professionals who are responsible for achieving and maintaining least privilege don’t always manage all the cloud infrastructure and as a result, do not have the context to understand what are the security consequences of the requested permissions. And on top of that, they don’t have the actual entitlement visibility to notice, or even see, all the IAM issues that are putting their company at risk. Issues like overprivileged, underprivileged, and unused access. 

Security teams don’t see and therefore can’t understand exactly who can and should take what action on which assets. Which request should that approve, deny, or modify? As a result, they’re burdened by having to spend time gathering context from the user, their managers, and other stakeholders through endless email threads, and many times, there is a need for multi-step approvals or segregation of duties, which makes it even more difficult and complex.

How to Solve: Axiom provides full entitlement visibility and insights to see who can and should take what action on which resource, and enriches each permissions request with context and recommendations so that Security and IT teams can quickly make the best-informed decision.

Challenge #2: Too Much Tactics and Heavy Lifting, With No Time for Strategy

We are witnessing an increasing elasticity in access patterns in the era of the Cloud and the remote workforce. Infrastructure has become far more elastic and complex than ever and various identities require different access to different resources at different times.

As a result, Security and IT teams need to be reactive and spend time and labor on context gathering, decision making, approval processes, and juggling provisioning through endless assignments between users, groups, and permissions. 

With all these moving parts and seemingly endless changes, security teams end up being reactive and spend an abundance of time on tactics and heavy lifting. Unfortunately, that means they can’t be proactive and focus on defining strategy and setting policies.

All of this gruntwork defocuses from strategy, which isn’t great for the business or the professionals, who can become dissatisfied from mundane, tedious, repetitive operational work that has outsized ramifications if they get it wrong. Think about it: 

  • Security teams are flooded with access requests and act like rubber stamps for each request. They need to approve, deny, or modify access requests.
  • They have to act as the broker for communications by:
    • changing the ticket or adding the relevant approver and then route each access request to the relevant individual or group of approvers.
    • creating two tickets or assigning the ticket to different people (e.g., create approval chains for requests with more than one approver).
    • finding all the individuals in the group and add them to the ticket in the hope that someone will approve the request, for approval chains with groups

None of that is efficient, because when everyone is assigned a mundane task, it hardly ever gets done because people are relying on everyone else to do it. 

  • Lastly, they need to define approval processes and workflows by building and maintaining databases and Excel files with all the approval workflows.

Does this sound like a process that can scale and strategically help a company minimize its attack surface? Probably not.

The endless flood of access reviews leads to approval fatigue and to a situation where identities hoard permissions they don’t need. Worse than that, they gain permissions to the entire group that they belong to, increasing the blast radius and exposing organizations to a huge amount of risk.

How to Solve: Axiom automatically orchestrates Cloud and SaaS IAM operations approval and provisioning, routing each request to automatic / semi-automatic / multi-step approvals as well as  automating both the granting of permissions and pruning when they are no longer needed. In this way, Axiom manages recommendations, tactics, and the heavy lifting of carrying them out.

Our solution comes with a robust workflow automation engine where Security and IT teams can define the strategy while Axiom does the heavy lifting of implementing IAM recommendations and tactics. Our workflow automation routes each request to the relevant approvers and groups, and defines multi-person approvals. Axiom provides customized approval workflows with pre-built templates that are based on use cases and pattern recognition of approvals to eliminate the laborious, tedious work of IAM operations.

Lastly Axiom provides centralized identity observability so security teams can quickly and easily see the entitlements of each identity – across all platforms – to better understand, evaluate, and remediate IAM risks.

Challenge #3: Increasing Complexity in Cloud IAM

The last challenge in achieving and maintaining least privilege is the spiraling IAM complexity brought by the evolution of the cloud, where infrastructure has become far more elastic and scalable than ever before, and where usage of cloud services and providers (which themselves have become more elastic and complex) has increased.

The problem is that this has evolved access from something that used to be simple to a process that is far more complicated. That’s because each Cloud or SaaS service has its own IAM language and structure, and traditional IAM solutions weren’t built for that new reality.

For example, before we simply used the EC2 service with an IAM user in AWS. Now, there are multitudes of services inside the cloud – SNS, RDS, SQS, and more with SCPs, Boundaries, permissions sets, and roles. AWS alone runs 200 services. On top of that, companies must tackle other clouds, and other engineering SaaS applications (e.g., Snowflake, MongoDB, GitHub, Gitlab, Kubernetes, and more). As a result, the landscape of permissioning, access management, and authorization is just a whole lot wider than it used to be.

Moreover, it’s also deeper and more granular, with multiple levels of permissions. For example, it’s not just admin and read only but all the RBAC options, including group, scope, and assignment. Divining the appropriate level of access can be a manual, frustrating challenge given the specificity of the options and how they interact with each other. This is difficult to remember and nearly impossible to maintain.

How to Solve: With Axiom, managing permissions is far more simple. Axiom provides end users the ability to self-service, so they can simply go to Slack, CLI, or the portal and select the required permissions or craft their own permissions by selecting the needed resources and actions. They then fill the amount of time and the justification, and once the request is approved (fully-automated or semi automated based on the request attributes), Axiom handles the provisioning. We’ll assign and also create the relevant permissions to the user and automatically prune them when they are no longer needed. No need to vex yourself and the users thinking through all the options or remembering to prune – Axiom makes it easy.
If you’d like to experience the power of Axiom and see exactly how we make work easier and more strategic for your Security and IT teams, please request a demo.

Most Popular

This website uses cookies. By continuing to browse this site, you agree to this use.