Technological complexity drives new wave of identity risks

Security leaders are facing increased technological and organizational complexity, which is creating a new wave of identity risks for their organizations, according to ConductorOne.

Based on a survey of 523 US-based IT security leaders at companies with 250 to 10,000 employees, the study explores the top challenges and opportunities of identity security, access management, and zero standing privilege.

Identity issues pose growing risk to organizations

According to the survey findings, most organizations have experienced firsthand just how risky identity issues have become. 77% of respondents said their organization has suffered from instances of cyberattacks or data breaches in the past 12 months due to improper access or overprivileged users. Furthermore, 41% of respondents said there had been multiple instances of cyberattacks or data breaches due to the same improper access issues.

“We’re now squarely in a new world order in which identity and access must be viewed and managed as a high-priority security risk, not just an IT issue,” said Alex Bovee, CEO of ConductorOne. “As our survey shows, the complexity of modern technology environments has made identity an overwhelming challenge for security teams — and a prime target for attack. Fortunately, many organizations are leaning into automation and zero standing privilege to reduce complexity, minimize risk, and bring identity chaos to order.”

The interconnectedness of modern technology environments has opened the door to a wide range of new identity and access risks. Key survey findings related to technology complexity include:

Hybrid IT: 76% of survey respondents indicated their company has a hybrid environment. Just 6% of respondents said their environment is completely in the cloud, and only 18% stated their environment is completely on premises.

Extended enterprise: 97% of surveyed security leaders reported that their company works with external entities like contractors, partners, or suppliers who have access to their various systems, applications, and/or resources.

Non-human identities: 81% of respondents stated they are concerned about non-human identities and the risk they pose to their company.

SaaS sprawl: Security leaders estimated that an average of 39.5 SaaS apps are in use across their company. Smaller companies reported an average of 9.2 SaaS apps in use, whereas larger companies reported an average of 70.4 apps.

Top identity and access management challenges

When asked to describe their top identity and access management challenges, 47% of respondents cited the complexity of existing systems, followed by employees’ resistance to change (38%), limitations due to available tools (33%), and executives’ resistance to change (32%).

47% of survey respondents said their company’s identity security strategy and access policies hinder team productivity, with 23% citing a significant hindrance on productivity.

84% reported either a moderate or significant increase in their company’s budget allocation for identity and access-related products this year. 95% said their budget allocations for identity and access-related products are adequate.

Despite increasing budgets and respondents self-reporting that their allocations are adequate, 73% of respondents still find themselves frequently or very frequently negotiating higher security budgets due to increasing security risks and responsibilities.

Security leaders believe ZSP is effective at reducing access risks

The concept zero standing privilege (ZSP) requires that a user only be granted the minimum levels of access and privilege needed to complete a task, and only for a limited amount of time. Should an attacker gain entry to a user’s account, ZSP ensures there is far less potential for attackers to access sensitive data and systems.

The study found that 93% of security leaders believe ZSP is effective at reducing access risks within their organization. Additionally, 91% reported that ZSP is being enforced across at least some of their company’s systems.

As security leaders face greater complexity across their organizations’ systems and escalating attacks from adversaries, it’s no surprise that risk reduction was cited as respondents’ top priority for identity and access management (55%). This was followed by improving team productivity (50%) and automating processes (47%).

Interestingly, improving user experience was cited as the top priority among respondents who experienced multiple instances of attacks or breaches due to improper access in the last year.

This group also identified their top identity challenges to be executive and employee resistance to change, which may indicate that greater organizational friction could lead to an increased risk factor.