The new Group Optimization feature in the Opal's Identity Security platform helps customers identify and remediate identity risk inherent in group-based access.
Access and authorization are often managed through groups, with role or attribute based factors determining which people are in which groups, and which resources those groups have access to. However, over time, individual roles can change, as can group responsibilities. Groups can also be blunt instruments - for example a group for a development team could include individuals such as doc writers, testers, etc that do not need the same resources as coders. In all of these cases, the result can be significantly over-provisioned access - either by including users in a group that do not need nor use certain resources, or by providing the entire group with access to resources or permissions they do not need or use. This type of access sprawl was noted by Gartner, who found that more than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted.
Group Optimization is a new feature enhancing Opal’s recently launched Least Privilege Posture Management capability. It enables customers to identify groups that are overprovisioned, prioritize that access risk against other findings to enable focus, and remediate the issue quickly.
The feature covers two forms of over-provisioned group access or authorization:
In both cases, this is an indication of overprovisioning - either of users to the group or the group to certain resources.
These findings are prioritized against other identity risk issues identified by Opal’s platform leveraging multiple risk factors. For example, groups with unused access to a sensitive resource would be a higher priority than groups with unused access to a resource not deemed to be sensitive. This enables teams to focus their remediation efforts fixing the issues that will have the greatest impact on risk reduction.
For each group risk identified, Opal enables fast remediation. In just a couple of clicks, IAM or security teams can remove users from groups they are not leveraging, remove resources from groups that are not being used, or convert access to Just-In-Time (JIT) with an expiration date for access.
The Group Optimization feature is available in beta for all Opal Security customers. Interested customers can contact their Technical Account Manager to enable this feature.
Opal Security is redefining identity security for modern enterprises. The unified platform aggregates identity and access data to provide customers with visibility and rapid control to protect mission-critical systems while accommodating the complexity and agility businesses require for growth. IT and security teams can discover anomalous identity risks and remediate them in minutes. Many global leaders, including Databricks, Figma and Scale AI, trust Opal Security to enable them to govern and adapt sensitive access quickly and securely.