It’s past time to contain identity sprawl. Here’s how to do it.


Identity sprawl – too many usernames and too many passwords – has never been as big a concern as it is today: More devices are being brought into the enterprise, more people are working remotely and using their own devices, and more users continue to access on-premises and cloud data stores.

An enterprise issue since at least 2014, identity sprawl refers to users with multiple identities needing to be managed in different systems and directories. The old saying, “There’s an app for that,” also means there’s an identity and a password for that – creating greater difficulty in managing who has access to what. The Internet of Things (IoT) has added to the identity sprawl problem by orders of magnitude.

The situation is often exacerbated by: 1) the influx of permanent staff using their own devices at work and remotely, and 2) gig employees who work on their own devices (34 percent of the U.S. workforce) who are not using a company-approved, managed device.

 Employees also use social media and other traditionally non-business apps as part of their day-to-day work operations.

The attack surface continues to grow

Identity sprawl increases the likelihood of having passwords compromised, expanding the attack surface that enterprises need to secure.

Considering that the 2019 Verizon Data Breach Investigations Report once again revealed that compromised identities via credentials are the leading cause of data breaches, it’s clear why identity sprawl is such an issue: Keeping cyber attackers out is often as difficult as providing access to legitimate users.

In most of the headline-grabbing incidents in the last year, such as Marriott’s breach when more than 5 million passport numbers of customers were exposed, the wider-ranging consequences for consumers made those attacks especially discomforting. The reason? People have so many online accounts – more than 130 per email address, according to Dashlane – that when one is compromised, they are all at risk. 

The large number of identities we create and use at work and in our personal lives has created a tangled web of recycled and poorly managed credentials. That creates a domino effect of one account breach extending to every corner of our digital lives.

Implement a unified, comprehensive strategy

Several solutions have been tested throughout the years, but most of them have been patchwork attempts. These include restricting access from unknown or unverified devices, requiring staff to use company-owned devices and limiting the use of company-wide applications.

The problem is that these efforts frustrate users, compelling them to look for workarounds and limiting productivity and increasing security risks. (And trying to mandate the use of company-owned devices in gig economy companies is nothing but a non-starter.)

Cybersecurity experts seeking to contain identity sprawl should keep these goals in mind when searching for a solution: 

•  To determine where users are coming from or if they’re camouflaging their location.

• To determine the veracity of the device.

• To provide them with access only to what they’re trying to access.

• To configure systems to automatically handle situations when any condition isn’t satisfied.

Enable access, enable the people

The solution should always center on providing secure access to the right systems by the right people whilst simultaneously providing a positive user experience. This includes remote and gig employees working from different locations.

Here’s an example of how a solution like that would work using adaptive authentication techniques:

• Device recognition: Make sure users are attempting access from a known, safe device, even before they provide their usernames.

• Known location or IP address: Determine their location, or if they’re using covert technologies that hide their internet protocol (IP) address or other location information.

• Known log-in behavior: Users tend to follow a regular pattern when accessing corporate resources. Abnormal activity should be a sign of potential compromise.

• Access rights: Once they’ve successfully been identified by their username, email address or IP number, provide access only to the requested resource or system. For example, an intern shouldn’t be trying to access a proprietary financial operations system.

• Multi-factor authentication method: At this point, authenticate the user by password and/or other login tokens such as one-time passcode or push-to-accept.

When even one of these requirements isn’t fulfilled, then demand a higher level of authentication, such as biometrics, instead of simply blocking access. That’s because false positives may be preventing a legitimate user from gaining access to what they’ve requested.

Identity sprawl is a boon to cybercriminals because there are so many unsecured devices, unsanctioned apps and a variety of workarounds they can easily take advantage of. The problem for cybersecurity officials is to thwart the criminals and make it easy for legitimate users while simultaneously strengthening company security. By understanding the reasons for, causes of and solutions to identity sprawl, we can finally begin to control the identity sprawl problem.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.