Managing Identity Risk from the Explosion of Cloud and SaaS Applications

by | Dec 10, 2024

Does anybody clearly remember the days when all our enterprise applications were housed on-premise?  In those days, a time that now feels so long ago, the team in IT that managed identities was largely aware of all the apps in use by the business, even if they were not directly managing them.  Remember that?  Remember when everybody worked in the office and all apps were inside a perimeter? Businesses today are increasingly reliant on hundreds, and in some cases even thousands, of SaaS and cloud-based applications for their daily operations. And in the current cloud/SaaS era, most of these applications are onboarded and managed by somebody outside of IT, in a highly decentralized way.

The world of application management has certainly changed, but unfortunately the way most organizations govern identities hasn’t.   

Legacy IGA Fails to Address Complexity, Decentralization, and Security Needs of Today’s Enterprises

The legacy Identity Governance and Administration (IGA) solutions built 20 years ago were not designed for today’s cloud/SaaS era or the proliferation of complex hybrid environments. They were developed for a time when there were fewer enterprise applications, which were mostly managed by IT. They were designed for a specific – and important – purpose: to support the complex process of ensuring job-appropriate user permissions and reviewing them for compliance.

We’ve recently completed some market research, which I’ll share more about in the coming weeks, but some of its findings were quite revealing.  For instance, 84% of organizations rely on mostly manual processes for performing IGA processes, such as user access reviews and provisioning granular permissions.  Further, 83% stated that the primary reason for manually managing IGA processes is the difficulty in integrating applications with IGA systems.

Given the large sprawl of applications that are commonly onboarded and managed across the business, IGA solutions must be able to quickly and easily integrate with large numbers of applications, in order to be able to keep up with the speed of the business and its changing application portfolio.

Identity is the New Perimeter

Identity has truly become the new security perimeter for businesses, as compromising identities has become the top vector of attack by cyber threat actors. The ongoing drive for widespread zero trust adoption only underscores this point – identity is the central point for IT security.

This is why corporate security teams must ensure they can keep up with all of the applications within their environment – whether they’re on-prem, in the cloud, or a hybrid deployment – and ensure that permissions granted in these applications align with least privilege access principles. Additionally, these teams need to ensure that they’re keeping up with all joiners, movers, and leavers – ensuring that appropriate access levels are granted (or revoked) in a timely manner. With organizations using a hundred or more different cloud and SaaS applications, manually walking through every individual application to review permissions and accesses is tedious, time-consuming, and prone to error.  We shouldn’t be surprised that cyber adversaries are attacking identities – we’re simply not governing permissions well.

A New, Modern Approach to IGA

Companies need a solution that operates at the speed of their business, effectively integrates all of their applications, and enables their IT teams to maintain security without inhibiting workforce productivity. They need a modernized approach to IGA – one that uses legacy IGA’s best components as a foundation, but delivers additional capabilities that support their current and future needs, including:

  • Fast, efficient integrations of new applications, whether on-prem or in the cloud, whether they have an API for permissions or not, and whether they are purchased or custom applications
  • Automated discovery, maintenance, and management of user roles to enable pre-approvals that speed provisioning and ease user access certifications
  • Comprehensive visibility of identities and permissions across the enterprise
  • Configurable policies to identify and remediate misconfigurations, alert security teams, or kick-off appropriate security workflows

In short, Modern IGA systems are needed to automate every step of IGA processes to enable fast time-to-value  Only in doing so, will organizations adopt their use, and in turn be able to reduce the onslaught of cyber attacks and compliance burdens by continuously managing identities to principles of least privilege access.

The good news is that a modern approach to IGA exists!  More companies around the world are now using Zilla Security’s Modern IGA platform to quickly onboard applications, obtain centralized visibility into the permissions granted in applications across the enterprise, and to speed provisioning-related joiner, mover, leaver processes. Not only do these companies save the high costs that they’d otherwise spend on expensive legacy IGA deployments, but they also greatly reduce the manual processes associated with user access certifications and provisioning, so they can focus their efforts on other initiatives.

Want to learn more about Zilla’s Modern IGA solution? Download our whitepaper to dig deeper!

Author

  • Mark Jaffe, CMO of Zilla, smiles at the camera wearing glasses and a black polo shirt.

    Mark is an accomplished high tech CEO, CMO, VP Strategy, VP Sales and Board Director, with a strong track record, and keen interest, in rolling out disruptive products, delighting customers, developing game-changing partnerships, and driving company growth.

    Prior to joining Zilla Security, Mark guided growth at numerous cybersecurity startups. As Illusive’s CMO, Mark repositioned Illusive as an Identity Threat Detection and Response (ITDR) provider, which resulted in the company’s acquisition by Proofpoint. He founded Prelert and served as its Chief Executive Officer thru its 2 funding rounds, growth to become the market leading anomaly detection solution for Splunk and Elastic, and eventual acquisition in 2016. Earlier, he served as the Worldwide Vice President of Firewall and Behavioral Analysis Sales at McAfee, where he was instrumental in integrating products into the McAfee solution portfolio, ramping sales and growing the sales organization of a $100M+ business. Prior to McAfee, Mark built and led sales organizations at software startups Securify, Axentis, OnLink and JYACC, consistently growing revenues 30-100% year on year. At OnLink Technologies, Mark grew revenues from 0 to $20M in under 2 years, leading to the acquisition of OnLink by Siebel Systems for $609M.

    View all posts Chief Strategy and Marketing Officer

Recent Posts

Strategies for Managing Non-Human Identities

Non-human identities can pose unique security challenges. Learn how to enhance security with accountability, access reviews, AI-powered tools, and the principle of least privilege, as part of a comprehensive identity governance strategy.