Can you imagine a company with 5,000 employees but 50,000 groups to manage?
It’s not actually all that uncommon. When organizations use groups for access control—especially in the modern age, when apps are everywhere – things go sideways. Group sprawl is real, and it’s a major threat to security.
For our most recent webinar—Lock and Key: Closing the Door on Group Sprawl—ConductorOne’s co-founder and CEO, Alex Bovee, hosted Ben Godard, Head of Security at Spotnana, to dig into the risks created by group sprawl—and how to avoid them.
As Ben and Alex acknowledge in the talk, using groups to manage access can be a seductive strategy. It’s a relatively simple concept, and groups can drive permissions and entitlements in a way that appears straightforward. But groups can proliferate to the extent that people have a hard time deleting them, and security teams eventually lose track of what groups can actually do: new groups become nestled underneath legacy groups and it’s impossible to tell which ones have which permissions and powers.
That’s sweet nectar for attackers, because they can hunt for inherited (yet overlooked) memberships—ones that grant sensitive permissions to critical resources.
For all of these reasons, groups become one of the most dangerous ways people within the organization get too much access. Both Alex and Ben are aware that managing group access may not be the sexiest topic in identity security—but it’s one of the most important things to get right from an enterprise IT and security standpoint.
The language of access
To understand the complexities of identity and access management (IAM), it’s crucial to grasp what Ben calls “the language of access.” This consists of three core components:
- The who: The account or identity (user, service principal, or application)
- The what: The entitlement (permissions or rights)
- The where: The resource being accessed
Everything else in IAM systems, including roles, attributes, and groups, are abstractions built on top of these fundamental elements. And that’s where things get iffy: the more you abstract away the language of access, the more difficult it becomes to manage the environment in a way that minimizes risk.
The double-edged sword of groups
Groups are a powerful tool for simplifying access management, but they come with significant drawbacks:
Ease of creation, difficulty in cleanup: It’s often easier to create a new group than to determine if an existing group meets the access requirements.
Loss of context: As abstractions pile up, it becomes challenging to understand what specific permissions are being granted. As Ben put it, “Group sprawl helps you lose sight of where your doors are. The more you abstract away the details around the who, what, and where, the harder it is to tell what resources you’re granting access to. There’s no longer a clear correlation between the group and the permissions.”
Bundled permissions: Removing a single permission from a user in a group can be complex, potentially affecting other necessary access.
Ownership ambiguity: IT teams managing groups often lack the context to make informed decisions about access rights. For example: what is an admin role in AWS that says “read-only access”? In some cases, this benign-sounding role can sometimes grant both the read-only access and the view-only access, which in AWS are two totally different things; one will leak PII data and others will not.
Ben, a former red-teamer, highlighted how differently attackers and defenders view group structures:
- Defenders struggle with managing complex webs of interconnected memberships.
- Attackers thrive on this complexity, exploiting overlooked inherited memberships to gain sensitive access.
Spotnana’s solution: Embracing just-in-time access
To address these challenges, Spotnana implemented several key strategies:
- Decoupling from groups: They moved away from relying heavily on groups for access management.
- Implementing just-in-time (JIT) access: This approach grants specific permissions to individuals for limited time periods.
- Empowering resource owners: People with the most context now manage access decisions, reducing the burden on IT.
- Enhancing accountability: JIT access creates clear audit trails, making it easier to track who granted access and when.
Leveraging ConductorOne for improved access management
Let’s not mince words: ConductorOne was a huge part of Spotnana’s success. The platform equipped Ben’s team these capabilities:
- Flexible integrations: The ability to connect with various tools and technologies, including custom applications.
- Direct provisioning: The AWS connector allowed for individual user provisioning to permission sets, eliminating the need for numerous groups.
- Simplified approval workflows: Utilizing entitlement owner approval policies streamlined the access request process.
By implementing these changes, Spotnana achieved:
- Reduced group sprawl
- Improved visibility into access rights
- Enhanced security through time-limited, specific permissions
- Streamlined approval processes
- Better alignment with least privilege principles
Groups can still be a useful tool in access management. Ben actually pointed out that groups can be used well if they are approving access, since that’s harder for an attacker to successfully mimic and it’s a highly visible activity that becomes audited and logged. But if groups are simply the default way that users get permissions, the results can be both undue complexity and intensified security risks.
Fortunately there’s another way. By embracing modern solutions like just-in-time access and leveraging tools that provide granular control and visibility, organizations can avoid one of the most common pitfalls in identity security.
Want to check out the entire conversation? See the on-demand webinar here. And you can always request a demo of ConductorOne here.
