Identity sprawl is a common issue that organizations face, especially those that don’t enforce single sign-on (SSO) capabilities across all user accounts. It’s a problem that’s becoming more and more apparent as breaches continue to occur and organizations realize that every new identity one of their users creates is a shiny new attack vector ready to be exploited by bad actors.
What Is Identity Sprawl?
Identity sprawl happens when users create a variety of different identities across their work resources, and those accounts typically go unmanaged. The best way to estimate how big this issue is in your organization is to estimate the average number of resources each employee needs access to (including apps, devices, networks, websites, etc.) and multiply that number by how many employees you have.
This number might be intimidating, but the key here is to focus on dealing with the unnecessary identity sprawl your organization has, as opposed to the necessary identity sprawl that all organizations have.
Necessary identity sprawl occurs when an employee uses more than one identity to access their resources, and there is no immediate or reasonable way to avoid that.
Unnecessary identity sprawl occurs when an employee uses more than one identity to access their resources, and the issue can be remedied via a tool such as single sign-on with minimal to no adverse effects on the general user experience.
Why Avoiding Identity Sprawl Is Important
One stat shows that at least 30,000 websites are hacked daily. If one of your organization’s users has an account on one of those websites, or their information is obtained through other means, that user and now your company’s data are both at risk. This is especially true when users fall victim to identity sprawl.
Security and Compliance Implications
Let’s say one user in your organization has 20 different identities across all of their resources with some username or password reuse, or they use slight variations of the same username and password. A breach occurs, and one set of that user’s credentials becomes compromised, and unfortunately, that user created an identity that gives them access to a critical company resource with those compromised credentials. As it happens, luck is not on that user’s side that day, and a bad actor quickly gains access to that critical resource before the user is even aware that a breach involving their credentials and data has occurred.
On top of that, a few weeks back, a different user got an email that looked completely legitimate, and they followed a link that requested they enter their username and reset their password. And, unfortunately, this user also reuses slight variations of that username and password combination across different work resources. Now a different bad actor has gained access to multiple resources within your organization and is in the process of causing substantial damage.
These two scenarios are meant to highlight the security issues that accompany identity sprawl, but too much identity sprawl can also affect whether your organization can maintain or even achieve compliance. Identity sprawl is a security problem because each identity is its own attack vector, and the more attack vectors your organization has, the larger its attack surface, making it easier for bad actors to hone in on it and attempt to cause damage.
Identity sprawl then becomes a compliance issue when those identities are not centrally monitored, managed, or secured by IT. It can be difficult or even impossible to achieve compliance, depending on the standard, if users have numerous identities floating around on the web that are completely uncontrolled by your organization.
How to Avoid Identity Sprawl
The best way to avoid identity sprawl is through the use of single sign-on. SSO enables users to access their resources with a single, secure identity. This eliminates the need for employees to create a new account for each resource they use for work, thus reducing identity sprawl significantly. This also improves security, because employees will no longer need to write down or store different credentials in insecure places (a sticky note, a note file on their device, etc.) for different resources to remember and keep track of them.
However, using SSO on its own doesn’t necessarily solve the entire problem. It’s integral to use layered security measures in conjunction with SSO, such as multi-factor authentication (MFA), conditional/dynamic access policies, as well as a modern password manager to help generate and store unique, complex passwords. This way, if a user does fall victim to a phishing scam or anything else happens to compromise their credentials, there are extra security measures in place to not only deny access to bad actors, but to give IT a heads up that something might be off.
How this all comes to life:
- A user only has to create and worry about a single, secure identity because their organization enforces SSO.
- That user only has to log in once using their SSO credentials to gain access to their work resources, but that one login experience prompts them for another factor (TOTP, fingerprint, etc.) to verify their identity through MFA before granting access.
- That user attempts to access company resources from an unknown device and is denied access per a device-trust-based conditional access policy set up by IT.
- That user can store their SSO credentials inside of a modern password manager for a streamlined login experience using auto-fill features, and they can even use the password manager to generate a new complex password when theirs expires per IT’s guidelines.
Using all of these features together not only reduces identity sprawl significantly, but it also dramatically improves security across your entire organization in ways that aren’t possible with unchecked identity sprawl.
Mitigate Identity Sprawl With JumpCloud
If you’re interested in adopting any of these features, they’re all included in the JumpCloud Directory Platform. Use this open directory platform to unify all of your identity, access, and device management needs to ensure the security of your users and their resources.
Check out the SSO, MFA, conditional access, and password manager features, among many other useful capabilities. Try JumpCloud for free by creating a JumpCloud Free account — add up to 10 users and 10 devices to your account, free of charge, and see if it’s right for your organization before committing to anything.