Getty Images/iStockphoto

Access management issues may create security holes

Employees who aren't credentialed to access corporate systems to do their jobs find ways around the red tape that could lead to security breaches.

Access restrictions that are meant to keep corporate systems secure could have the adverse effect of causing employees to find workarounds and share credentials with co-workers, creating potential security vulnerabilities.

That's according to a study from security vendor StrongDM, which recently polled 600 IT, security and DevOps workers. It found that in many cases, users find alternative methods to access their containers, cloud services and other essential tools when they don't have access through the managed company channels.

The problem, according to StrongDM, whose software provides technical staff with direct access to infrastructure, arises from a natural conflict related to the pressure that employees face to make deadlines versus the demand for newer, better-maintained systems and services.

While executives and managers press IT admins to update to the latest and greatest versions of network services, as well as implement secure and well-maintained access protocols, end users -- particularly developers and DevOps teams who rely on stored code and containers -- need to access those resources.

The survey found that 73% of employees need at least 15 minutes per day to get access to the data they require for work, and 30% of StrongDM survey respondents said it takes them more than 30 minutes. Meanwhile, around 40% of the admins polled said that simply getting new tools linked up with their existing access management systems takes multiple days -- or weeks to months for a smaller percentage of organizations -- to accomplish.

If [teams] run into too many blockers on one project, when the next project is kicked off they may create the backdoors to avoid slowdowns, bypassing proper protocols for managing access.
Justin McCarthyCo-founder and CTO, StrongDM

While new systems are being integrated with access management controls, end users will still have deadlines to meet and projects to accomplish. This means that they go outside the management controls.

"Technical employees tend to be problem solvers by definition," the report noted. "So if they cannot get access to the tools or solutions they need to meet a deadline or complete a project, it's no surprise when they come up with workarounds in order to solve the problem."

Those workarounds could include things like directly accessing the cloud service or system using their personal credentials or even a shared login; 55% of those surveyed said they have seen their teams maintain a backdoor access method, while 53% said they shared credentials to important services.

This is where the major security threat arises. Those credentials then become vulnerable to hackers via account theft, malware or other common tricks.

The use of stolen credentials accounted for nearly 50% of attacks in 2021 and was present in third-party breaches, phishing attacks, basic web application attacks and system intrusions, according to the Verizon 2022 Data Breach Investigations Report.

Hackers could easily use compromised accounts to move laterally over the network and accomplish complete takeovers and data theft. This is particularly dangerous for developers and DevOps teams as it further creates the potential for supply chain attacks against other enterprises and networks.

"Backdoors get created when teams get frustrated with delays and roadblocks. If they run into too many blockers on one project, when the next project is kicked off they may create the backdoors to avoid slowdowns, bypassing proper protocols for managing access," StrongDM co-founder and CTO Justin McCarthy told SearchSecurity.

"On the flip side, sometimes the backdoors and shared credentials happen early in the development cycles because the team is moving fast, and open access is easier than implementing proper controls," he added.

There are a number of identity and access management products on the market that aim to address the balance of security and employee access, including products from CyberArk, Microsoft and IBM, as well as smaller vendors.

Next Steps

What enumeration attacks are and how to prevent them

Dig Deeper on Identity and access management