8 Critical Identity Risk Factors – And How to Manage Them

Applications and other business resources today are as likely to be in the cloud as on-premises, and users are eager to access them from anywhere there’s an Internet connection. That makes it easier to work productively, but tougher to manage risk. Being familiar with critical identity risk factors and how to address them is vital to delivering secure access while improving audit performance and meeting compliance requirements.

8 Critical Identity Risk Factors

1.      Orphaned accounts create the potential for inappropriate access because they’re not tied to existing identities—such as an account that wasn’t removed when someone left the organization.

2.     Shared and service accounts may be problematic if an identity that’s tied to a shared account leaves or moves out of a role, but the user is still able to access the account.

3.     Unauthorized changes refer to “back door” grants of access that go around the usual approval processes.

4.     Movement of identities can be an issue when a user changes roles but the previous role’s entitlements aren’t removed in the process.

5.     Unreviewed items refer to access that is not reviewed and therefore introduces the risk of inappropriate access.

6.     Toxic combinations such as Segregation of Duties (SoD) violations and policy violations occur when users have inappropriate access to critical applications and assets, such as when a user who is authorized to create purchase orders is also authorized to issue vendor payments.

7.     Access outliers refer to users with out-of-role access. (This may be acceptable to a degree in organizations that use roles.)

8.     Overprovisioned access describes access that’s granted to a user beyond what he or she actually needs to do the job.

How to Manage Critical Identity Risks

Once you’re familiar with the critical risk factors, you can address them with a multi-pronged strategy to mitigate identity risk.

Managing risk successfully starts with a strong identity governance and administration program. Only with consolidated visibility across all your applications and users can you surface the information needed to manage access and identify when it’s unauthorized or in some other way inappropriate. Incorporating business processes, rules and risk-based information helps define what level of risk for entitlements and activities is acceptable, and what is not. And only with strong identity governance can you achieve that level of visibility.

In addition, automating the processes associated with delivering access, removing access when needed and, ultimately, auditing access privileges and activity is essential. Automation enables you to keep up with the rapid pace at which the access environment is likely to change. As a bonus, building in policy automation helps eliminate those more error-prone manual efforts.

Access assurance—or the ability to know with certainty that users are accessing resources appropriately—helps protect against the unavoidable risk that come with working in a boundaryless world. And having that protection in place helps to free your organization to pursue business opportunity unfettered by that risk.

Download RSA’s eBook “Addressing Identity Risk Factors” to learn more about addressing risk and achieving access assurance.