3 Practical Changes to Refine Access Controls Without Being Overly Restrictive

Over-provisioning access is a major security concern. It can lead to breaches that significantly impact critical business infrastructure and incur costly consequences. And it happens far more often than you may realize. Within the past 18 months, 84% of organizations faced a privileged access-related breach. Overall, 75% of security incidents can be traced back to human error impacting access privileges and identity (mis)management. 

If over-provisioning is such a serious security concern, why does it still happen? Because, many times, companies are afraid of going too far in the other direction — being overly restrictive to the point of limiting innovation and efficiency. 

For modern organizations, it doesn’t have to be one or the other. Practical controls combined with cultural changes can reduce user access-related risks without disrupting business operations. 

How did we get here?

Over-provisioning happens for a variety of reasons and is not always intentional. It’s also often a gradual process — over time, more and more permissions are granted to different users throughout an organization before reaching a critical point where wresting back control feels unmanageable. Consider these scenarios:

• Moving Quickly: Modern organizations need to move at the speed of innovation. They also experience periods of rapid scaling. Because leaders fear slowing business operations, security teams may face pressure to automatically grant users access to company assets without implementing fine-grained controls — like limiting “birthright” access when new employees come abroad or limiting the amount of time someone has access to certain sensitive assets. 

• Infrequent Checks: For many organizations, access management is not monitored continuously. It’s only audited quarterly, bi-annually, or yearly with point-in-time checks. For that reason, over-provisioned users may not be identified for a long time. In the interim, security teams simply forget that someone was granted access to certain assets. They only notice the issue during infrequent audits.   

• Procedural Deviations: Security-minded organizations often have official procedures in place to determine who should grant access to company assets. But with the proliferation of SaaS tools and the opportunity for many users to acquire admin privileges, permission granting can often go a bit rogue (just think about how easily someone can share access to a Google Doc, for example). This can easily spiral out of control as more people grant access outside of official channels. 

Solve the problem — without disrupting business operations

To mitigate these issues, security and IT teams might be tempted to just lock everything down. But that requires significant (and time-consuming) cultural and procedural changes and can stifle business operations and collaboration. 

Instead, pursue simple steps to refine — not restrict — access and help your company remain secure without disrupting workflows or requiring fundamental organizational shifts. 

1. Limit birthright access

“Birthright access” refers to automatically providing access rights to users based on their role or position within an organization. This strategy doesn’t take any principles of least privilege into consideration to evaluate the necessity of access — for example, asking why the person needs access to a certain asset in order to execute their job duties or for what period of time. This is a major cause of over-provisioning and increases the potential for accidental or intentional misuse of sensitive information or breaches via cyber attacks.

Organizations should begin to refine access controls by limiting birthright access. Start by limiting birthright access on systems with sensitive data or for privileges to critical production systems. For those, only grant access to users who specifically request it — when it’s actually required to complete a function of their job duties.

2. Implement just-in-time access and time-bound access

When access is granted, make sure it’s time-bound. Just-in-time access is a security strategy that grants users or systems the permissions they need only at the moment they need them and for a limited duration. This approach ensures that elevated permissions are temporary, reducing the window of opportunity for potential misuse or attacks.

Once the task is completed or the specified time expires, the elevated permissions are automatically revoked, minimizing the risk of unauthorized access and privilege escalation. If a user needs access again, they simply request it again and the request gets re-reviewed and re-granted. This is a necessary procedure for any organization that wants to reduce permission-related risk. Without time-bound stipulations, you may just run into the same security issues every 60 or 90 days as permissions pile up repeatedly — unless you move to a more proactive and continuous approach. 

3. Continuously and proactively evaluate usage

Most decisions regarding access are made by security teams asking managers if an employee is on a certain team and therefore, should have access to a group of assets or materials. But, managers tend to assume that people need more access than they really do. In fact, Gartner recently found that more than 95% of infrastructure as a service (IaaS) accounts use less than 3% of the entitlements they are granted. 

Instead of providing access based on team assignment, security teams should make access decisions by proactively reviewing usage. Look at logs from the past 30 or 60 days and determine which users actually use the assets and systems to which they have access. Those who don’t use them, or don’t use them frequently enough, likely don’t need always-on permissions. Revoke that access or convert it to time-bound access. If something breaks or someone does eventually require more access, investigate first. If it makes sense for them to have more access, go ahead and grant it. The nuisance of a request to re-grant access is significantly less painful than the risks incurred by the alternative. 

Refine, don’t restrict, with Opal

These refinements are meant to be practical. They allow you to significantly reduce your risk profile without major organizational changes or investments. The right technology can make these refinements even easier to execute. 

Opal’s identity security platform includes capabilities to seamlessly integrate a least privilege security model into your organization’s environments — without becoming overly restrictive or clunky for users trying to access assets to perform their day-to-day duties.  

Opal’s platform makes it easy to automatically and continuously monitor usage patterns and associated risks. Prioritized recommendations highlight those vulnerabilities across your organization based on the risk they pose to your organization’s overall security and ability to conduct operations. Plus, Opal allows you to immediately remediate access issues (which could turn into security issues) from within the platform, significantly reducing technological and operational challenges that plague organizations with overburdened IT and security teams — and long access request queues. 

With Opal, organizations can also seamlessly implement and automate security guardrails, like just-in-time access controls that automatically revoke access based on a time period or after the completion of a support ticket.

It’s practical technology to help you refine — not restrict — access across your organization. 

‍

‍Click to request a custom demo of Opal’s Least Privilege Posture Management capability in action. See how it can simplify least privilege for your organization.