Jakub Jirsák - stock.adobe.com

How to tame the identity sprawl

Organisations should find a comprehensive way to gain full visibility into their digital identities and leverage automation to tame the identify sprawl

This article can also be found in the Premium Editorial Download: CW Asia-Pacific: CW APAC: Buyer’s guide to IAM

The growing pace of digitisation has driven more organisations to add more applications and services to their IT footprint, each with its own identity system that has left employees struggling to manage their user accounts.

Coupled with new devices and robotic process automation (RPA) bots being added to the network over time, and the growing number of customers, partners and contractors, it does not take long before an organisation starts facing what is known as identity sprawl.

According to a study by SailPoint, an identity and access management (IAM) software provider, about 43% of identities in an organisation today belong to machines, 31% to customers, 16% to employees, 6% to contractors and 4% to partners.

“That mix of identities creates complexity in managing identities and their relationships to applications and resources in the IT environment, which has not just grown exponentially, but also become a lot more complex,” said Chern-Yue Boey, SailPoint’s senior vice-president for Asia-Pacific.

Boey said the problem will only get worse with an expected 40% increase in the number of digital identities in the coming years, making it more challenging for organisations to provide identities for people and machines in a timely manner.

“If you talk to some people who join a new company, they’ll tell you it takes three weeks before they can get their laptops and three weeks before they get access to systems,” Boey said. “In those three weeks, you are paying people but they’re not able to be productive.”

But what’s more critical, Boey said, is the increased exposure to cyber attacks and data breaches if digital identities are compromised, citing SailPoint’s study which found that 84% of organisations had suffered from an identity-related breach in the past year.

“That is worrying because if you look at the maturity of enterprises in identity management and handling identity sprawl, we are behind, especially in Asia-Pacific,” he added.

Managing identity sprawl

There is no single way to manage identity sprawl, with organisations typically employing a combination of identity consolidation, privilege access management, identity orchestration and IAM centralisation.

Boey called for organisations to avoid taking a piecemeal approach to their identity management strategy and assume that their digital identities are secure after deploying a single solution to meet audit requirements, for example.

“Just because you’ve passed the audit doesn’t make you more secure,” Boey said. “Many companies are also thinking too narrowly, focusing on a subset of identity management rather than taking a comprehensive view.

In addition, Boey said some organisations might already have a legacy identity management system but have decided to deploy it for their most important applications due to its manual nature, adding: “And we all know that it is the weakest link that will take an organisation down.”

Instead, organisations should deploy a modern identity management platform that provides full visibility of digital identities, including those that are used to access cloud services, along with automation capabilities that will allow them to embed the right identity context into their IT environment, Boey said.

For example, when an employee takes up a different role within an organisation, the person’s access to systems might change accordingly. Without automation, it will be difficult for an organisation to track these changes, Boey said.

“With a modern identity platform, these things become AI-driven, so when that change happens, it would tell you that this is an anomaly and whether you should be approving access to a particular system,” he added.

SailPoint is not the only IAM supplier that is helping organisations tackle the challenge of identity sprawl. ForgeRock, which counts the likes of HSBC and Standard Chartered Bank as clients, also offers an extensible platform to help organisations consolidate their identity management systems.

Okta, another IAM supplier, has recently launched its Identity Governance offering in Asia-Pacific. By unifying IAM with identity governance and administration, it is expected to help organisations improve their security and compliance posture, mitigate security risks and improve IT efficiency.

“The need to effectively defend against cyber threats escalating by the day cannot be overstated,” said Ben Goodman, senior vice-president and general manager of Okta Asia-Pacific and Japan.

“Identity governance and administration tools are a critical component of security ecosystems. But they are typically siloed and do not meet the demands of a cloud-first world. Okta Identity Governance is our move towards overcoming this limitation,” he said.

Read more about identity and access management in APAC

Read more on Identity and access management products