Companies rely on security tools to protect themselves from data breaches, ransomware, and other attacks. However, as cyber threats become more sophisticated especially with more and more AI-assisted attacks, modern security teams now realize that they have to treat breaches as inevitable and prepare accordingly. Organizations must ensure that when breaches happen, they are rectified quickly and allow minimal damage. The best way to do that is to have continuous control over who (and what) has access to data across the entire enterprise. With this capability, an organization can enforce the principle of least privilege and other access policies (like required MFA and segregation of duty policies). To do this comprehensively across all data is challenging, and it requires a new methodology we call Intelligent Access.
Defining Intelligent Access
Intelligent Access is a methodology of access governance where permissions to apps and data are continuously monitored and adjusted so that every human and machine identity only gets access to apps and data that they need and only when they need that access. This approach minimizes the damage of potential breaches and provides the forensics that organizations need to remediate every breach as soon as it occurs.
Key tenets of Intelligent Access
1. Governs every system
Security teams want to systematically and continuously uncover and remove all ungoverned access within their enterprise. The best way to achieve that is to put in place an access control platform that tracks and manages permissions to every application and database across an entire organization.
2. Governs all identity types
In most organizations machine identities or service accounts outnumber human identities by a factor of 45. In addition, machine identities are often privileged accounts, with unusually broad access, making them attractive targets for attackers. Intelligent Access provides a single pane of glass to manage all identities – both human and machine – in order to address risks comprehensively. .
3. Monitors true permissions
Most of today’s access governance tools (like identity providers and IGA tools) only operate on the level of users & groups and have no visibility into actual permissions and entitlements within applications and resources. At creation, a role may be labeled with a text description, but that is neither comprehensive nor guaranteed to be current, so groups and roles often under-represent the reality of access. In addition, new cloud infrastructure platforms (AWS, GCP, Azure), cloud data platforms, and even some SaaS apps use access methods that are both powerful and complicated. They each have their own systems of groups and roles, with parent-child nesting, where it’s nearly impossible to trace access all the way to a resource (e.g. table in a database). The only way to see the true reality of access is to look at permissions, wherever they’re defined in the enterprise stack.
4. Translates to standardized permissions
Most of us wouldn’t be able to tell what the “PutObjectAcl” permission allows a user or a service account to actually do. It is in fact an admin permission in AWS that entitles a user or a service account to grant to other users or service accounts the create, edit, and delete permissions to an object in an S3 bucket. Granular permissions are not at all intuitive and they are specific to every system. If your company uses the 3 most popular cloud systems – AWS, Azure and GCP, there are 21,000 unique permissions available across those 3 platforms. Intelligent Access translates these esoteric permissions into standard terms like create, read, update, and delete. This enables security teams and business users to make smart access decisions and enforce policies.
5. Automates access governance
With so many identities receiving so many permissions, security teams need a solution that automates decision-making, scaling the IAM function. Identity and security teams alike should want to monitor access 24/7 to check entitlements against policies and best practices. WIth automation, Intelligent Access should automatically find and fix dormant accounts (access unused for 30 days, etc), segregation of duties violations, and any local admin accounts that were not approved. It’s also helpful if high-risk events, like new admin accounts or new access to a sensitive resource, automatically trigger a review by the security team.
Download our ebook to learn how you can make your apps and data more secure and check out our short demos to see how Veza can help you review and rightsize permissions across your organization as well as to visualize and control who can do what with your data.
About Veza
Veza is the Access Control Platform that enables identity governance. The platform helps companies to monitor privilege, investigate identity threats, automate access reviews, and bring access governance to enterprise resources like SaaS apps, data systems, cloud services, infrastructure services, and custom apps.