Industry-First Report from Veza Showcases the Challenge of Managing Access Permissions for Identity and Security Teams
02 Mayo 2024 - 11:00AM
Business Wire
Proprietary Data Shows Scale of Enterprise
Permissions and Excess Privilege that Could Leave Organizations
Vulnerable
Veza, the identity security company, today unveiled its
inaugural State of Access report, a detailed analysis that assesses
the current state of access permissions across hundreds of
organizations. This first-of-its-kind report establishes benchmarks
for IT, security, and identity professionals to better understand
their own identity security posture and areas to consider for
reducing the risk of breaches.
Modern technologies like software as a service (SaaS),
infrastructure as a service (IaaS), cloud data lakes, databases,
and GenAI models all depend on identity to access and protect the
sensitive data within. Yet, industry research shows that 80% of
cyberattacks involve identity and compromised credentials,
demonstrating that traditional methods for governing access have
fallen short.
“Permissions are the treasure map, and hackers have figured this
out,” said Tarun Thakur, co-founder and CEO, Veza. “Traditional
identity tools, with directory services and listing users and
groups, do not represent access. The true picture of access is
rooted in permissions. Digital transformation has increased the
complexity of access permissions, making it more important than
ever for organizations to enforce the principle of least privilege.
The numbers in this report are a wakeup call for security and
identity teams, many of which struggle to see who can take what
action on enterprise data.”
Veza’s dataset reveals that the average organization has roughly
1,400 permissions for every employee, an alarmingly high ratio when
considering that traditional identity tools were not built to
visualize or manage permissions at this scale. The findings also
show that identity teams face a daunting number of groups and roles
to manage. With organizations averaging nearly 700 groups for every
1,000 users, it is difficult for admins to choose the
least-privilege groups and roles that will meet the needs of any
given employee, contractor, or service account.
Other findings highlighted in the report include:
- This is the multi-identity era, with fragmented and
duplicated identities. Organizations use an average of 1.75
identity platforms, with the most prominent being Microsoft’s Entra
ID, Microsoft’s Active Directory (AD), and Okta.
- Cloud and GenAI adoption have increased the number of
non-human identities (e.g. service accounts and service
principals). Veza sees a ratio of 17-to-1 for non-human identities
to human workers. This is especially prevalent in AWS, Azure, and
Google Cloud.
- Dormant permissions are pervasive. Deactivated users
account for 16.5% of all permissions assigned to users in identity
platforms, especially those in Microsoft’s Active Directory and
Entra ID. 14.7% of users are considered dormant.
- Excessive permissions need to be cleaned. Though just
0.1% of users in identity platforms are explicitly labeled as
privileged accounts, implicit privilege is pervasive. 34% of all
effective permissions tracked by Veza include the ability to delete
data. For example, 17% of Snowflake roles have permissions to
delete, as do 30% of AWS IAM roles. In addition, nearly all users
of Snowflake and AWS IAM are using less than 20% of the resources
to which they have access.
- Multi-factor authentication (MFA) is not a given. Across
the millions of identities analyzed by Veza, 13% of users still
have not enabled MFA.
“This data from Veza validates the urgent need for organizations
to create a culture of access removal,” said Adam Fletcher, Chief
Security Officer, Blackstone. “Removing users who are inactive or
permissions that aren’t being used mitigates risks. More than
anything, I think these numbers will inspire the reader to ask
questions about access in their own organization. Once an
organization can see its identity posture, it can begin to manage
it.”
Learn more about the State of Access report:
- Register for a virtual presentation on the findings on
Thursday, May 16 at 10 a.m. PT: https://veza.com/SOA-webinar
- Download the full report: https://www.veza.com/soa
Learn more about Veza:
- Veza Access Platform: https://www.veza.com/platform
- Veza Integrations: https://www.veza.com/integrations
- Veza reviews on Gartner Peer Insights:
https://www.gartner.com/reviews/market/identity-governance-administration/vendor/veza/product/veza-access-control-platform/reviews
About Veza
Veza is the Identity Security company, helping organizations
secure access across the enterprise. Veza’s Access Platform goes
beyond identity governance and administration (IGA) tools to
visualize, monitor, and control entitlements so that organizations
can stay compliant, achieve least privilege, and de-risk the
breach. Global enterprises like Wynn Resorts, Expedia, and
Blackstone trust Veza to manage identity security posture, with use
cases in privileged access management (PAM), non-human identities
(NHI), cloud entitlements (CIEM), data system entitlements, SaaS
entitlements, and IGA. Founded in 2020, Veza is headquartered in
Los Gatos, California, and is funded by Accel, Bain Capital,
Ballistic Ventures, Google Ventures (GV), Norwest Venture Partners,
and True Ventures. Visit us at veza.com and follow us on LinkedIn,
Twitter, and YouTube.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240502658045/en/
Justin McCann R1 Communications for Veza
justin@r1communications.com