Sep 13, 2024
Table of contents
Access management is foundational to effective cybersecurity. But the sheer number of applications used by many organizations and the often rapid growth trajectory of startup businesses can add many bumps in the road. To find out more, AccessOwl spoke to several IT practitioners who have overcome many of these challenges — in some cases, the hard way. Here’s what they recommend.
1) Limit permissions for employees
“When it comes to Atlassian, the biggest mistake people make is giving admin permissions to too many people, which comes from a lack of knowledge and the need to set everything up fast.” says Relational AI IT Engineer Arek Czub. “Everything in Atlassian has a lot of dependencies between the products and modules, so when you change something, this changes for everyone.”
TrueLayer IT Manager Liam Williamson adds that, when he joined the company, different departments owned their own tools. This led to too many people with admin rights. He then worked overtime to ensure IT regained control over access management.
“They didn’t need control. So we said ‘let's make sure they can't add people,’ which in turn funneled the onboarding through IT,” he adds. “Now we're responsible for creating and deactivating accounts on 98% of our tools.”
2) Give autonomy, but retain control
However, IT departments should still give some autonomy to individual business units, Williamson argues.
“So there'll be a service account, which is the owner. Then there’ll be a number of people within that who are admins. But we try to lock it down, so that they can't add or remove people, but they can change roles within permission sets,” he says. “There are so many apps and such a diversity of expertise you need that… IT just doesn’t have the capacity for every single app we have.”
3) Beware the SSO tax
Relational AI’s Arek and others lament the common practice among SaaS vendors of up-charging for single sign-on (SSO), as well as SCIM support. These features are increasingly important for managing secure, compliant, and streamlined access to SaaS apps — as well as user provisioning/deprovisioning. But by offering the features only in premium versions of their products, SaaS vendors leave many IT admins with a stark choice.
“For most SaaS tools, you have to pay for the highest subscription to get the most important features. SSO or enforcing logins with SSO, managing user API tokens, and SCIM. For example these all require an additional Atlassian Guard subscription in Atlassian.” says Arek.
Jakub Łączak-Król, IT Asset Manager at XTB, has had a similar experience.
“We had around 50 different platforms used by employees, and they were on some basic plan, so we couldn’t actually implement SSO, SCIM or SAML,” he explains. “We were still able to have some kind of identity management — integrating with a few crucial platforms and utilizing Okta as a password manager. But it was a bummer for us.”
He continues, "I’d hope those companies would eventually change their approach and include things like SSO and SCIM as a standard feature — or, more likely, that the European Union forces those companies to include SSO and SCIM in company/enterprise plans, as it also significantly increases security."
Felix Naepels is the former Head of Internal IT at Pigment. He advises IT leaders to keep a tight rein on which SaaS apps the business can purchase, to mitigate security risks. But even then, the SSO tax is still an unwelcome barrier to better security, he argues.
“It's one of my biggest pet peeves. I don't think security should be an add-on. It should be a default feature. And it really messes with me. Sometimes it just doesn't make sense to get the [premium] plan. So you have to approve something without those options [SAML, SCIM etc]. And then those end up becoming your challenges when you do access reviews.”
Reveal IT Ops Lead Akash Gopani has 150-170 different apps to manage. But the SSO tax made much-needed auto-provisioning prohibitively expensive. “It can cause major headaches, unless there’s low staff churn”, he says.
“If the company has two or three people leaving and four or five joining each month — at that point it gets quite messy,” Gopani argues. “But if there’s a low turnover, then everyone already has access to what they need, and access requests are minimal.”
4) Prioritize and automate
When TrueLayer’s Williamson joined the company, he was forced to create order from a chaotic IT environment — starting with the automation of access management.
“The three biggest things you want to try and get right within a company are joiners, movers, and leavers,” he explains. “Onboard joiners to hit the ground running. Ensure people moving from one team to another have access to different applications. And offboard people by making sure their accounts are deactivated.”
Once the to-do list grew to a certain length, Williamson went through a “review and prioritize” process.
“I asked myself, ‘what's going to have the biggest impact on the most people?’ And one of the things we tried to get right in the early days was the automation of access to our SaaS tools,” he continues.
After creating a master list to prioritize which apps to integrate into Okta via SAML and SCIM, the process began. Integrating around 80 apps took roughly one-and-a-half years.
“You're working with production applications. It's not like you're setting something up for the first time,” Williamson says. “That's why it took so long — because we had to do it in a careful way, without being too disruptive.”
5) Ease of use is critical
Try to choose access management tools that are easy for the end user to understand, advises XTB’s Łączak-Król.
“First of all, it should make sense for us, as the administrator,” he explains. “But then, we know that each employee in the company will be introduced to a new platform, and they will all need to use it daily. So it cannot be overwhelming for them.”
It’s also best to approach the procurement process with some “must-haves,” he adds. For XTB, these included support for multi-factor authentication, various browser add-ons, and password management within the tool.
6) Choose carefully, especially if you’re a big company
Once you choose an access management tool, it can be tricky to change, due to the number of dependencies involved. “So be sure to get it right the first time,” Łączak-Król adds.
“Doing a proof of concept is very important before implementing or changing anything, because just choosing a tool based on meeting with a vendor’s sales department is my nightmare,” he says. “You’re going to end up with more problems than you started with.”
7) Automate RBAC where possible
Setting up role-based access controls (RBAC) can be an administrative nightmare. But it’s one that can be solved through automation — which is what Quantum Workplace Information Security and Technology Manager Wesley Laughlin managed to do.
“That was a huge breath of fresh air, because I knew I didn’t have to worry about access levels that shouldn't be there, managing access levels, people moving jobs, and reevaluating what they have access to,” he explains.
8) Get organized and start early
Laughlin migrated the company’s development and product teams to automated RBAC over the past two years. But he wishes he’d started earlier.
“That was kind of a big lift,” he explains. “I wish it was something we’d gone to earlier. Being able to understand who has access to what, and what level of access they have.”