ConductorOne Inc., the developer of an identity governance platform, today announced access management capabilities to support joiners, movers and leavers, a human resources term for employee onboarding, internal transitions and offboarding.

The software enables businesses to onboard hundreds of users with a few clicks by using predefined profiles that specify the applications the user is allowed to access as well as privileges within those applications. Profiles typically map to jobs, roles or functions. The application also integrates with popular HR applications to detect employee departures or transitions to new jobs and adjust privileges accordingly.

Users are assigned membership in dynamic groups, which are automatically synchronized and kept up to date.

The company is addressing a common gap in enterprise security measures by automating the process of deleting user accounts and privileges. Its 2024 Identity Security Outlook Report found that 29% of businesses rely on manual processes to identify and deactivate orphaned accounts, while 6% don’t currently have a process.

Microsoft Corp.’s 2023 State of Cloud Permissions Risks Report said more than 60% of cloud identities are inactive and haven’t used any of their permissions granted in the last 90 days. These present a security risk because if credentials are compromised, an attacker can gain access to applications and data under an assumed account.

Hundreds of integrations

The four-year-old ConductorOne has built integrations with a large number of cloud and on-premises applications that comprise the most popular use cases, said co-founder and Chief Executive Alex Bovee.

“Although there are thousands and thousands of [software-as-a-service] apps, the reality is that probably 50 of them account for 90% of the usage and are the biggest pain points,” he said. “We have all the major SaaS and on-prem infrastructure systems covered, and most of those integrations support direct provisioning and de-provisioning.”

Direct provisioning grants specific access rights based on their role or responsibilities. For applications that don’t support that functionality, ConductorOne integrates with Scim, an application program interface for managing identities across cloud-based applications and services.

Though many directory services support RBAC and automated provisioning, Bovee said, “they usually use Scim, and one of the limitations of that is that it tends to be group-based.” Group-based access can lead to granting more privileges than necessary because users often inherit all permissions assigned to the group, even if they don’t need them.

It also creates a security risk known as “privilege creep,” where users accumulate excessive access rights over time. All members of the group typically receive the same permissions, which doesn’t account for unique responsibilities within the same role.

Achieving fine-grained controls with group access requires defining controls at a granular level, Bovee said. For example, provisioning 100 Amazon Web Services Inc. cloud accounts, each with five roles, can require directory administrators to create 500 different groups.

“That’s ridiculous,” he said. “Administrators don’t want to configure all that stuff.  We cut out the middleman by saying we can do the direct provisioning. Tell us the access people need and we’ll take care of it for you.”

For de-provisioning, the software monitors the status of individual users in a companies HR system and can trigger workflows when people change jobs or leave the firm. It can also detect applications that haven’t been used for defined periods of time and trigger alert for access to be removed, thereby saving on software license costs.

Image: SiliconANGLE/DALL-E