Do your employees have different usernames and passwords for their computers, file sharing apps, and Zoom accounts? If the answer is yes, your organization is suffering from identity proliferation.
Identity sprawl occurs when users have many accounts and identities managed by multiple systems that are out of sync.
Unfortunately, identity proliferation puts organizations at high risk of identity-based attacks. A 2022 survey from the Identity Defined Security Alliance found that 84% of respondents had experienced an identity breach in the past year.
Additionally, Verizon’s “2022 Data Breach Investigations Report” found that 61% of all breaches involved exploited credentials – a troubling statistic given the prevalence of identity sprawl today.
Why is identity sprawl a challenge?
Identity proliferation is not a new problem, but the problem has grown considerably since the adoption of remote and hybrid work models. A 2021 survey from Dimensional Research found that 84% of respondents had more than double the number of user identities than 10 years ago, with 51% saying they use more than 25 different systems for identity management.
When organizations relied solely on workstations protected by traditional perimeter defenses, network administrators typically used Active Directory (AD) to manage passwords and usernames.
As the perimeter dissolved with employees working remotely and more online services such as Skype, Dropbox, Zoom, Slack and Salesforce were introduced, organizations suddenly had employees using multiple usernames and passwords. And, as the number of identities per employee grew, so did the number of systems managing them. Administrators struggled to synchronize or integrate new systems with existing central directory services. As a result, many organizations found themselves with a vicious and growing cycle of user identities and identity management tools and had no central source to hold accurate and complete user profiles and privileges.
Cloud-based apps and services have exacerbated the problem. Often used in hybrid and remote working models, these apps and services often not only require users to have separate identities, but they typically have their own user provisioning processes and systems to manage identities.
A hodgepodge of management systems slows user provisioning and leads to phantom accounts, inconsistencies in user privileges, and difficulty enforcing security and compliance policies. Users managing multiple accounts can also succumb to password fatigue, forcing them to reuse the same passwords for different apps and services.
How to deal with identity proliferation
A unified approach to identity management is needed to reduce identity proliferation and shut down potential avenues of attack. However, organizations often struggle to manage identities due to the varying requirements of different departments and the limitations of identity management products. Rarely does an organization approach the four disciplines of access management holistically:
- AD management and security
- privileged access management (PAM)
- identity governance
- identity and access management (IAM)
Unfortunately, no IAM on-premises or as-a-service platform or directory can completely solve identity proliferation or unify all disparate identity systems. Companies therefore always tend to deploy several systems.
A few options to consider are identity consolidation, some PAM platforms, identity orchestration, and IAM centralization.
Identity consolidation – the discarding and replacement of legacy identity management systems – might seem like an obvious way forward. However, this should only be done after careful consideration of the purpose behind the initial deployment of the system. Was it deployed because it offered multi-factor authentication or highly resilient directory services? Removing these features could be an expensive rollback, as these features will need to be replaced by another tool or may require costly redesign of unsupported apps and services.
Another solution is to use a PAM platform with multi-directory brokerage capabilities. This allows organizations to authenticate users against any identity repository, such as AD, Okta, Ping, or Identity as a Service.
An alternative approach is identity orchestration. This adds a layer of abstraction that applications can use to integrate with different enterprise identity systems without having to modify application code. Identity orchestration replicates identities and policies across identity systems by retrieving identity data from various identity stores and routing connection requests to the appropriate identity provider.
Identity orchestration aims to unify the APIs, data models, and access policies of incompatible identity systems into a cohesive identity fabric. Orchestration requires time and resources, but it reduces administrative overhead and simplifies the application of consistent access policies and privileges across an organization’s IT ecosystem.
The best long-term approach to tackling identity proliferation is to create a single source of truth by centralizing the identities of all users, devices, and applications. PAM and IAM teams should create global profiles of each identity, correlating and cross-referencing the attributes and privileges of each identity data source, and ensuring that their privileges match their roles. This is a big challenge because the data has different formats and schemas. However, an even greater challenge is replicating or synchronizing this central image with each identity silo.
Effective identity management secures computing environments and prevents the future increase of duplicate human and machine identities – an essential step in preventing cybercriminals from using credentials to gain a foothold in a network. Identity management also helps IT integrate new technologies without causing identity proliferation in the future.