New Identity Security Features Let Teams Prevent, Detect and Resolve Over-Provisioned Access at Scale
Opal Security, building the next generation of identity and access management, announced updates to its industry-first least privilege posture management platform. Originally launched in April, it consists of capabilities that enable security teams to better manage identity security in a standard security workflow by proactively, detecting, prioritizing and calibrating over-provisioned access across organizations.
Opal has added several new features to its identity security platform, including group optimization, which helps customers identify and remediate identity risk inherent in broad group-based access; irregular access, a new risk factor used in detecting and prioritizing risky access; and native least privilege support for Snowflake.
Group Optimization
Companies leverage groups — Okta, Microsoft Entra or Google groups — as a simple way to provide role-based access to resources. However, managing access via groups comes with complications. Groups can become obsolete, the policies can be too broad, and the sheer number of groups can become unwieldy over time. Group optimization helps customers identify risks inherent in group-based access, and take immediate steps to reduce the blast radius of over-provisioned, unused and accidental membership access.
Opal’s group optimization helps teams manage group access by detecting:
- Users in groups who are not using the group to leverage resources over a duration of time, and who should be removed from the group.
- Resources available to groups that no one in the group has accessed over a duration of time, and that should be removed from the group.
- Groups that have not been leveraged by any users over a duration of time, and that may be deleted.
- Groups that are not following the company’s group naming convention, and that should be re-named to align.
- Group hierarchy issues, such as deeply nested or circularly referenced groups that should be moved out of a hierarchy to avoid unintended access management issues.
For each group risk identified, Opal enables immediate action. In just a couple of clicks, IAM or security teams can remove users from groups they are not leveraging, remove resources from groups that are not being used or convert access to just-in-time (JIT) with an expiration date for access.
Irregular Access
Opal Security’s least privilege posture management detects and prioritizes different types of risky access based on several factors, including permanent access, sensitivity, unused access and access provisioned outside of Opal.
In addition, the platform will now leverage machine learning to identify irregular access. Access patterns that do not conform to the usual patterns will be detected by combining several variables, such as job function and team, nature of access, resource attributes and access graph topology.
For example, it may detect that someone on the sales team has access or privileges to an AWS database that is usually only given to developers, an indication of over-privileged access that might be accidental or nefarious.
As with all of the other risk factors, irregular access is factored and prioritized by assigning an overall risk score, and remediation action is recommended and achievable within two clicks.
Native Support for Critical Data Systems
Opal Security’s first-party Snowflake integration empowers security, infrastructure and IT teams to easily manage and remediate access to Snowflake Roles and resources such as databases, schemas and tables.
Snowflake’s powerful and flexible Access Controls Framework allows administrators to set granular permission scopes with a high degree of customizability. However, this also means administrators must be equipped to manage complex access patterns that come with elaborate organizational policies. This complexity can lead to challenges when managing Snowflake instances at scale as a part of a company’s overall security strategy. Several recent breaches, all stemming from situations where valuable data was accessible on Snowflake instances that did not require multifactor authentication (MFA) have highlighted not only the challenge but also the magnitude of the impact if critical data is leaked.
With Opal’s first-party integration, customers can key access questions and implement and maintain least privilege in their Snowflake environments. Opal provides the ability to see and modify which users have access to Snowflake Roles and Securable Objects so that teams can manage access and privileges to a granular level. Teams can enable just-in-time access to reduce risk by shrinking the time access is enabled and therefore potentially exploited, and enable and enforce policies such as requiring multifactor access.
“Our mission is to bring the best of infrastructure and security to all of identity. With this new set of features, we empower teams to properly mitigate more types of identity risk, move away from point-in-time audits managed by arbitrary teams, and get to an ongoing flow within a comprehensive security strategy,” said Umaimah Khan, founder and CEO of Opal Security. “We believe this is the very beginning of an overall shift toward identity being a primary lens and focus for security teams as data and applications spread across SaaS, cloud and self-hosted infrastructure.”
One customer who recently evaluated and selected Opal said, “We chose Opal Security over other vendors for several reasons. Their mature API and Terraform support enable us to manage resource access through a codified, reviewable, and easily revertible system. Opal’s flexible and comprehensive platform allows us to tailor approval flows based on the risk level of a resource or the role of the requestor, ensuring a robust and secure user experience. Additionally, the Threat Center feature allows us to easily monitor and reduce unused or permanent access while still providing our users with a seamless request experience through their Slack integration.”
Least privilege posture management is available to Opal Security customers in cloud and self-hosted deployments at no additional cost. To learn more about least privilege posture management, you can schedule a meeting with the Opal team at Blackhat, August 6-8 in Las Vegas, or visit the Opal Security website.
Explore AITechPark for the latest advancements in AI, IOT, Cybersecurity, AITech News, and insightful updates from industry experts!