IT teams rely on identity providers like Okta, Azure AD, Ping, Duo, and others to manage who has access to which apps across thousands of users, and to make it easy for users to log into all their apps without having to remember dozens of separate login credentials. However, while many IT teams think of identity providers as the source of truth for who has access to what, it’s very likely that your organization has users or even whole apps that are not governed through your identity provider.
What is ungoverned access?
Many times app admins or business managers bypass the identity provider and grant access to apps and data directly within an app or a database. Sometimes managers purchase productivity apps for their teams outside of centralized procurement processes and don’t connect those apps to the identity provider. The result is ungoverned access.
Why is ungoverned access a problem?
- Increased risk – Ungoverned access can linger for years after users move on to new roles or leave the company which increases the potential attack surface.
- Weakened response to threats – when compromised users are discovered and their SSO credentials get deactivated, all ungoverned log-in credentials still remain available to attackers and may take weeks or months to uncover.
- Compliance violations – ungoverned access to sensitive information violates internal control requirements for SOX, SOC, SOC2, ISO and other standards.
- Wasted subscription spend – when users change roles, leave the company, or no longer need a particular app, ungoverned access results in unused licenses that usually never get reclaimed.
How to clean up and prevent ungoverned access?
You need an access control platform that allows you to quickly query for ungoverned access – i.e. app credentials that don’t have a corresponding assignment in your identity provider – as well as get alerts when any new ungoverned access is granted. If you’re not using an access control platform, you have to analyze your app access periodically as follows:
- Identify your most critical apps – the ones that would be most damaging if breached
- Export each app’s user list into a spreadsheet
- Export the list of all users who have access to that app in your identity provider
- Compare the two lists. All credentials that appear in the list that came from the apps and do not appear in the list that came from the identity provider are ungoverned.
Download our ebook to learn how you can make your apps and data more secure and check out our short demos to see how Veza can help you review and rightsize permissions across your organization and visualize and control who can do what with your data.
About Veza
Veza is the Access Control Platform that enables identity governance. The platform helps companies to monitor privilege, investigate identity threats, automate access reviews, and bring access governance to enterprise resources like SaaS apps, data systems, cloud services, infrastructure services, and custom apps.
