By Peter Barker, Chief Product Officer, ForgeRock 

All businesses are now digital businesses. This transformation has turned mastery of data security, privacy and governance into a must-have, and companies have been unafraid to invest vast sums to bolster capabilities in these areas. In 2023, global enterprise IT spend is expected to exceed $4.6 trillion according to Gartner.

Financial services firms are no different. Over the last few years, the percentage of banks that have launched a digital transformation strategy jumped from only 9% in 2018 to a staggering 91% in 2022. But with only 5% of financial institution executives saying that they’ve completed, or are almost done, with their digital transformation strategy, it’s clear that banks are now in a race to finish their digital transformation to deliver better online services than their competitors.

While this rapid digital transformation may cater to a more flexible workforce and help firms stay ahead of market trends, it also makes organisations vulnerable to certain cybersecurity threats. Crucially, many firms and banks are overlooking two critical areas of risk – digital identity silos and ‘entitlement creep.’

Digital identity silos, entitlement creep and IGA 

Identity governance and administration (IGA) is a critical component of an organisation’s overall security strategy. It helps ensure that only authorised individuals have access to sensitive information and systems, and that access is granted and revoked in a timely and efficient manner.

However, there are several security risks associated with IGA that organisations need to be aware of, including identity governance overprovisioning, which is the granting of excessive or unnecessary access privileges, and identity silos. A digital identity silo occurs when a department or business unit deploys and grants an employee access to their own applications or systems, outside the control of the IT team.

Combined, entitlement creep and identity silos can increase the likelihood of insider attacks and data breaches (nearly 50% of data breaches in 2021 were caused by unauthorised access according to ForgeRock’s Consumer Identity Breach Report). This could potentially expose a whole organisation to malicious intrusion as attackers use one foothold to compromise other parts of a network undetected, sometimes for many months.

To put things in perspective, the average tenure of a UK employee is nine years, during which time they will accumulate permissions and access to different systems, tools, and resources – this is known as ‘entitlement creep’ and is closely tied to IGA overprovisioning. This issue is particularly pertinent in financial service institutions, where the average number of folders open to all access is 1.3 million. Large corporate layoffs have only added fuel to the fire, as high rates of employee churn make it more likely that security teams will duplicate identities, forget to delete old employee records and exacerbate digital identity silos.

What’s more, many organisations do not have the technological foundations to properly deal with these compounding issues. This is because the average business is often running a mix of legacy, home-grown, and standard IGA deployments to secure and manage the identities of their workforce. Indeed, nearly 50% of IGA is now in ‘distress’ due to the sheer complexity and volume of recent workforce upheaval.

So long, silo 

The problem is clear, but how can businesses balance increasing volumes of requests for changes to access permissions while reducing the risk of entitlement creep and insider threats associated with this process?

Many existing identity governance solutions fail on both of these counts because they rely on static data. This means that, as role profiles and entitlements change over time, these solutions fail to update access permissions dynamically.

The key to walking back entitlement creep is to remove the burden placed on IT teams and make use of Artificial Intelligence (AI)-driven and cloud-based solutions that can automatically and continuously govern complex access requirements quickly, reliably and at scale.

AI can help reduce access overprovisioning by automating the process of managing access. AI algorithms can analyse user activity and access patterns to determine which users need access to which resources. This can be done in real-time, so that access is granted only when it is needed and revoked when it is no longer necessary.

AI can also be used to monitor access and detect any suspicious activity, such as attempts to access restricted resources. This can help organisations quickly identify and respond to potential security threats, reducing the risk of data breaches.

In addition, AI can be used to improve the accuracy of access policy enforcement. By analysing large amounts of data, AI algorithms can help financial service organisations identify patterns and trends in user access. This can inform the development of more precise and effective access policies, reducing the risk of overprovisioning and ultimately, entitlement creep.

With choppy economic waters ahead, businesses must take governance seriously

As layoffs and company restructuring become increasingly common, it is vital that financial services firms are aware of the potential data security risks these changes can bring.

Identity silos and entitlement creep are latent security threats that can lead to insider attacks, which can have a catastrophic effect on an organisation. To address these threats, businesses must turn to AI to improve identity governance and empower IT teams. By using automated IGA systems and behavior analytics, organisations can improve their ability to detect and respond to potential security threats and work more efficiently.