A New Administration Offers an Ideal Time to Prevent Entitlement Creep


Here’s what you need to know to protect federal employees and secure classified data.

As the U.S. prepares for President-elect Biden’s administration, there will be a significant number of government officials changing roles. This influx of federal job transitions can greatly complicate IT security measures for public chief information officers and IT professionals, especially since the government sector in particular faces the daunting task of keeping employee and classified data secure.

With the number of new types of identities—customers, partners, workforce, citizens, machines, devices, bots’ APIs, applications and microservices—security and IT teams are overwhelmed. Legacy identity governance solutions that federal agencies used traditionally can no longer keep up because they are based on manual human reviews and fulfillment. As a result, many government organizations are at risk of a growing problem today: employee entitlement creep. 

Entitlement Creep: How Does it Happen? 

The average federal employee serves for approximately 13 years and during that time, their organization, roles and responsibilities can change multiple times over the course of their employment with promotions, job transitions and even layoffs. When these changes are dealt with manually, it is easy to forget to remove some or all access from a previous role. This leads to entitlement creep from employees gradually accumulating unnecessary permissions over time. Furthermore, when an employee moves to a different organization and they still have access to important files that IT is unaware of, the user retains access to those overlooked or orphaned accounts and can leverage that confidential information however they want. In a worst-case scenario, this could lead to a serious breach.

Entitlement creep increases the risk of insider threats for government agencies. Prompt removal of excess privileges can significantly lower the risk of access abuse, but this is a tedious, manual process for IT today. The 2020 ForgeRock Consumer Identity Breach Report revealed unauthorized access as the top attack method used by cyber criminals. What’s more, the report shows a 78% increase in compromised consumer records over the previous year. To mitigate the risk of insider threats, public-sector CIOs and IT departments must evolve their current thinking and approach to better manage and control unauthorized user access. Here are three organizational blind spots that should be addressed to prevent entitlement creep from occurring. 

1. Evolving Access Compliance  

Staying compliant is an ongoing challenge, especially when people change jobs, work on special projects, or leave an organization. Identity governance helps with these issues by automating the work it takes to enforce and demonstrate compliance. By implementing access policies, organizations can be confident that the right people are accessing the right information for the right reasons. Furthermore, it allows for quick review and access certification for any user at any time. 

2. Overloaded IT Departments Lead to Operational Inefficiencies 

Identity governance solutions are meant to automate access requests, approvals and certification reviews. The reality is that IT and security teams are buried in these requests, which can number in the hundreds or thousands. As a result, they end up manually approving access requests and rushing to approve access certifications. This results in the overprovisioning of user access privileges—in this case, excessive or unnecessary entitlement assignments. Overprovisioning can lead to unauthorized access to systems, applications and proprietary government information, employee personal identifiable information and classified intelligence. 

3. Business Enablement: Reducing Friction Can Reduce Security 

Governing user access to applications and systems across an entire enterprise is a critical component to any security strategy, but it presents one of the greatest challenges faced by security professionals. As employees, contractors or temporary staff join a federal agency, change roles, take on different assignments or eventually leave, organizations must constantly update access entitlements and policies to ensure that users only have access to what they need, while removing access they don’t need. 

Unfortunately, many organizations today address this with manual processes executed by different people and different systems. Manual processes are not effective because they are more costly than automated tasks, employees must wait to get the access to do their job, they are more prone to errors, and they are often applied haphazardly. These business enablement processes become more complicated and pose great security risk when the organization’s employees are working off multiple devices like smartphones and tablets, in addition to their work computer. 

Artificial Intelligence Holds the Key to Preventing Entitlement Creep

Along with taking preventative steps to address IT blind spots, the key to ridding organizations of entitlement creep is artificial intelligence-driven identity analytics. Identity analytics leverages AI and machine learning algorithms to map out the user access landscape across the entire organization. This requires AI because vast volumes of data must be consumed and analyzed to paint an accurate picture. 

By detecting user access patterns, identity analytics can quickly highlight excessive or unnecessary entitlement assignments and over-provisioned user access privileges. Then, AI-driven identity analytics can automate the removal of high-confidence and low-risk access, lowering the risk of unauthorized users access across government organizations. Today, manual processes in provisioning access are just manual inefficiencies. Leveraging AI to evaluate and automate the entitlement process can deliver the right access to the right people faster, but it can also eliminate costly security vulnerabilities.

Tim Bedard is senior director of product marketing at ForgeRock.