Jumpstart Zero Trust and the Journey to Least-Privileged Access


Regulatory compliance drives the identity governance and administration (IGA) market. With various regulations, such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Aces (HIPAA), General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), global organizations are under increased pressure to implement IGA solutions and controls to reduce the expensive consequences of a failed audit. A few of those consequences include:

  • Damaged reputation – A global insurance provider was recently fined $10 million for failure to comply with SOX regulations designed to ensure the identity of customers.
  • Legal fees – GDPR, which applies to organizations within and outside the EU, costs the average Fortune 500 company $16 million a year to investigate and litigate compliance matters.
  • Costly fines – The U.S. Department of Health and Human Services, during an audit for HIPAA compliance, fined a Tennessee-based management company $2.3 million for a breach caused by compromised administrator credentials.

All global organizations, public and private, are audited. Whether from an external or internal auditor, organizations must demonstrate regulatory compliance and repeatable results. And, in a dynamic business environment, demonstrating both is an expensive and time-consuming endeavor.

Onramp To Least-Privileged Access and Zero Trust

Zero Trust is based on three fundamental principles.

  1. Trust Nothing/Verify Everything
  2. Control Access Based on the Principle of Least Privilege
  3. Secure All Transactions

The trust nothing/verify everything principle applies to the run-time authentication and authorization of identities. In other words, it ensures that identities are continuously analyzed and challenged based on their level of risk. The least-privileged access principle is the non-run time aspect of Zero Trust, meaning identities, roles, and entitlements are managed through a "least-privileged" access model, an approach that provides a user the minimal privileges needed to complete a task and nothing more. While managing and enforcing least-privileged access sounds easy enough, it has inherent challenges.

Least-Privileged Enforcement Challenges

Over the past decade, global organizations have leveraged traditional IGA and role-based access control (RBAC) solutions to simplify the process of managing user identities and workforce access permissions. While RBAC has helped reduce administrative work and improve regulatory compliance, its effectiveness erodes over time due to its manual, labor-intensive approach. As a result, RBAC fails to keep up with identities at scale within today's fluid business environments, where employees frequently change jobs, roles, and even organizations. This failure results in overprovisioned access, orphaned accounts, and entitlement creep, which can lead to increased cyber risks.

It's time to leverage new technologies, such as artificial intelligence (AI) and machine learning (ML), to help modernize traditional RBAC solutions. Artificial intelligence and machine learning are the ideal foundational pillars for automating and enforcing a least-privileged access model in a Zero Trust world.

A Modern Approach To Least Privilege

So, how does ForgeRock help to achieve a least-privileged access model? It does it in three simple steps:

  • Step #1: Clean up overprovisioned access
  • Step #2: Maintain least-privilege
  • Step #3: Automate and operationalize

Understanding the challenges of traditional RBAC and the best practices to address them are crucial components for maximizing identity governance investments. Static IGA-based solutions and processes with limited context and visibility must become more flexible, scalable, and dynamic. Traditional RBAC must modernize by augmenting manual role management with automation and intelligence. ForgeRock Autonomous Identity offers three powerful ways to modernize and achieve a least-privileged access model.

Clean Up Overprovisioned Access

ForgeRock Autonomous Identity leverages machine learning to reduce enterprise risk by discovering role-based access patterns across the entire organization and recommending optimized role structures. These specific role recommendations help ensure that users have the right level of access to the right resources—at the right time.

Autonomous Identity enables business line managers to contextually understand the level of risk associated with user access permissions, roles, and entitlements. For example, a multinational financial services company was able to reduce access requests, revocations, and certifications by 60 percent with Autonomous Identity in less than a quarter. With enterprise-wide visibility, the business line managers were able to quickly identify and clean up overprovisioned access and accelerate their security decision-making to either approve or revoke a user's access.

Maintain Least Privilege

With Autonomous Identity, organizations can effectively enforce least-privileged access that restricts access to only those resources required for an employee or a contractor to do their job. By bringing artificial intelligence (AI) and machine learning (ML) techniques to the RBAC model, you can ensure users have appropriate access permissions and privileges. This dynamic approach to RBAC further minimizes the attack surface from insider and external threats. The takeaway here is that maintaining least-privileged access is just as important as achieving it.

Another Autonomous Identity customer, a leading U.S. healthcare solution company reduced 70 percent of the required roles for a major financial ERP application in less than three months.

By leveraging Autonomous Identity, organizations can analyze and recommend new, dynamic roles, rules, and role memberships in a matter of days or weeks — not in months, like traditional identity governance solutions. By dynamically modernizing RBAC, organizations can maintain a least-privileged access model that works and scales with an organization's dynamic business requirements.

Automate and Operationalize

ForgeRock Autonomous Identity can determine and automate recommendations, such as adding new roles, removing unnecessary roles, or adding new, dynamic rules directly to an existing IGA solution.

For example, a multinational financial services company reduced its click-rate by more than 80 percent in the access certification review process by automating low-, medium-, and high-risk user access Autonomous Identity.

Organizations need to automate and further operationalize their existing IGA solutions and processes. This actionable intelligence approach enables security and risk teams to take immediate action, accelerate decision-making, and improve operational efficiencies across the entire organization.

Jumpstart Your Zero Trust Journey

ForgeRock Autonomous Identity provides organizations with insight into the risks associated with user access and with concrete recommendations for mitigating these risks. Organizations can increase the business value of their existing identity governance solution and processes, including automated access requests, certification reviews, and role and entitlement clean-ups with Autonomous Identity.

To learn more about how your security and risk teams can provide increased business value to your organization, read about the ForgeRock Autonomous Identity two-week assessment evaluation.