Best Practices for Perfecting Dynamic (Yet Secure) Access Grants

Last week, we shared some advice for better managing identity lifecycle processes with some key steps for optimizing full-circle identity processes. In this post, we’ll dig into common challenges surrounding access grants. No matter how mature your access management practices are, IT and security teams are constantly confronted with questions like “Who should get access to what?” as well as “How do we enable self-service for end users, reduce dependence on IT, and securely grant access as we grow?” If you don’t yet have an effective strategy to answer these questions and manage the related tasks, your organization’s resources are at a greater security risk.

Access grants are becoming increasingly difficult to keep up with during the COVID-19 pandemic, since remote work environments require you to provide employees with access to more and more different resources that are better-suited to digital collaboration. Most companies have to juggle access considerations spanning:

• People need a variety of resources (e.g., applications, entitlements, roles, groups)
• Many stakeholders are involved in granting access (e.g., IT, business app owners, people managers, etc.)
• IT has to make frequent exceptions to meet individual needs
• Your decisions must take many confusing frameworks and models into account (e.g., attribute-based or role-based access control, hierarchies, delegation, etc.)

Here’s a look at the most common LCM maturity levels we notice when it comes to how organizations get a handle on those access requirements:

Stage 1: Manual Processes

If you’re constantly putting out fires related to access grants, your organization is probably in stage one of LCM maturity. These teams struggle with poorly defined business roles that are rarely updated or followed, leading to incorrect or delayed access for new employees. Instead, you find yourself scrambling to create ad hoc roles and groups, which in turn create a mess of objects whose purpose gets forgotten over time. After day one, if users request additional resources that you can’t adequately provide, they tend to procure apps or tools on their own—perpetuating shadow IT.

In the early days of rolling out Okta Lifecycle Management (LCM), we encourage our customers to start with these crucial steps to start taking control of their access grants:

1. Create a map of your IT-owned apps and resources vs. those owned by line-of-business (LOB) groups, identifying each app the business uses, its corresponding app owner(s), and the primary mechanism for granting coarse-grained access to these apps (e.g., attributes or AD groups)
2. If applicable, identify mechanisms and attributes for granting fine-grained access, such as elevated admin privileges or other role privileges (e.g., contributor or editor rights) 
3. Review all groups in IT owned-sources (e.g., AD) to determine which are widely used, and clean up any unused access control roles or groups

Stage 2: Basic Automation

Once IT has a better picture of your full access grant landscape, you can start working with other departments to define (or redefine) their core business role definitions. You’ll then want to map these to the technical roles or groups that control people’s access to apps and entitlements, and implement clear naming conventions. This makes it easier to assign access for birthright applications, and enables your users to request additional access by filing tickets with IT. As a result, you’ll see much less (but still some) shadow IT, improving the organization’s security posture.

Here are our recommendations for laying a solid access grant foundation at stage two:

1. Establish your organization’s role definitions in collaboration with key LOB app owners
2. Map these business roles to your IT access control groups (e.g., AD groups)
3. Use AD/LDAP groups to assign birthright access to your IT-owned apps, including:
   • Coarse-grained access (assignment to the app itself)
   • Fine-grained access (assignment to specific entitlements within the app)

Stage 3: Leading Automation

In the next stage, companies replace manually managed groups with dynamic ones for faster and more accurate access grants—resulting in substantial productivity improvements. With this capability in place, your IT leaders can empower LOB stakeholders and app owners to assign their own fine-grained user or app level entitlements, and enable end-users to get appropriate apps without IT intervention.  

At stage three, IT teams should embrace the following best practices:

1. Replace manually managed groups with automatically managed ones to streamline birthright access assignments
   • If you haven’t already, this is a great time to set up Okta’s group rules with data from your IT sources of truth (like AD and LDAP), so you can automatically put users into or take them out of groups based on attribute changes 
2. Base access grants on HR data (personal contact information or job-specific data, such as titles, departments, and managers) and IT data (user ID, email address, entitlement groups) as much as possible, using legacy AD groups (e.g., “enterprise sales”) only when necessary
3. Coordinate more closely with LOB app owners to help them set fine-grained entitlements for function-specific systems like CRM or marketing automation
   • Route access requests directly to LOB owners via automated ticket creation and alerts that include identity data, and delegate simple resource assignment decisions to application owners
4. Implement self-service for end users to scale high volume, low risk access requests

Stage 4: Visionary Automation

IT teams with a visionary approach to granting access use even smarter techniques that improve their company’s security posture. You can do this by feeding additional factors into access decisions and systematically pruning and purging not just orphaned accounts, but all your roles, entitlements, and groups.  

Next steps for teams aiming to reach this top level of access management include:

1. Devise a continuous authorization strategy to support zero trust
2. Implement time-bound, contextual access parameters for resources (e.g., looking at security risk, cost, usage, projects, etc.), and configure periodic reauthorizations to maintain clean access policies
3. Regularly review all access control groups and entitlements, taking a proactive approach by setting up automatic alerts for unused resources
4. Delegate more complex resource assignment decisions to application owners, and kickstart the process by creating baseline accounts and passing identity attributes, roles, and groups data to LOB app owners via IT tickets, automated emails, Slack messages, or shared spreadsheets

As smart teams progress through the various stages of identity lifecycle management maturity, they’ll enjoy dramatic benefits by more efficiently and effectively orchestrating their identity data, lifecycle processes, and the access grant workflows we discussed above. Stay tuned for our final post of this series, in which we’ll explore various ways identity automation can accelerate critical tasks surrounding audits and compliance. In the meantime, feel free to check out our step-by-step guide to review our suggestions around the four common stages of lifecycle management maturity.