In traditional IT systems, security was a lot simpler and treated as part of the workflows and ticketing systems to process security access requests. With the growing adoption of cloud and distributed environments, security access challenges have become more complex. Organizations face a dual challenge in security access controls where they not only need to streamline their security operations to respond to growing user access requests to company resources but also ensure that no malicious access requests, either through inside threats or compromised privileges, are attempting to game the system. IT admins have gotten around the repeated access requests by the users by providing them the elevated levels of access so that they aren’t bothered by repeated approvals
Responding to the growing needs of frequent access requests, many workflow-based solutions currently in the market are either anchored upon workflow-based ticketing systems such as ServiceNow or provide native workflow systems. Though they provide a way to address access requests in a structured way, these solutions let the users follow request access as part of their workflows wherein the access is granted or denied based on policy, Access is revoked when the task is complete, and lets customers eliminate persistent privileges
The solutions extended further to cater to the growing needs of expanding security policies and enabled the creation of workflow policies and grouping policies to provide more context behind access. An example is that one policy may determine the specific entitlements that an engineering team might need, the other being the need to gate critical data assets resources that are sensitive and can’t be deleted irrespective of the elevated privileges.
While there are benefits to using workflow-based access control solutions, the key gap is the missing governance on several dynamic attributes as shown in figure 1. For starters, the constant sprawl of user personas and activities, i.e., different personas of users needing different tiers of privileges is growing at the same rate as the infrastructure proliferation. The traditional Role-Based Access control (RBAC) which provides perpetual access of sorts based on the user roles is archaic and dangerous. Modern users play different roles in different environments and hence need dynamic privileges. User Joe who is a developer with a certain scale of privileges to the resources he manages may need an elevated privilege for a certain application for a certain period. This may be one-time access or otherwise. If this situation is applied across the organization, it ends up being a massive scale of user access requests across distributed teams bombarding the security admins for their approvals which is a chaotic challenge to handle.
Privileges are the new attack surface for organizations, they are dynamic and user entitlements change based on changing context. If such a volume of requests is processed through workflow-based solutions relying on rules and policy-based gating, there is potential for malicious access requests getting through the system undetected.
Some of the current solutions in the market talk about how they automate access controls through the creation of group policies or other mechanisms so that specific access requests which fit the criteria can be handled through automation. Such policies which are built on the foundation of the RBAC control risk the potential provisioning of privileges more than what a developer may need. On closer look, there may be a need for a granular level of controls and avoiding blanket trust in group policies. Furthermore, there may also arise a need for validation of the context behind each access which is, unfortunately, something beyond the realm of workflow-based solutions.
Without context on the existence of such policies, these groups tend to be cloned for other parts of the organization, consequently creating group policy sprawls. Many organizations tend to have more clustered policies than the user inventory. Such policies eventually become unmanageable for the security teams. Coupling such groups and policies with the ticketing workflow systems address productivity concerns but glosses over the critical measures of context behind access, which is who accesses what, when, and why?
Manual or automated approvals don’t address the critical context-based gating and mere validation of policy groupings or rules doesn’t serve the true requirements of access governance.
Automation of any kind will only risk exacerbating approvals of wrong access, thereby creating vulnerable backdoors within the organizations.