Exclusive: ConductorOne automates access controls for workers on the go

ConductorOne Inc.developer of the identity management platform, today announced access management capabilities to support new hires, new hires, and exits (in human resources terms, employee onboarding, internal transitions, and exits).

The software allows businesses to onboard hundreds of users in a few clicks using predefined profiles that specify the applications the user is allowed to access and the privileges within those applications. Profiles are typically mapped to jobs, roles, or functions. The app also integrates with popular HR apps to detect employee departures or transfers to new jobs and adjust privileges accordingly.

Users are assigned membership in dynamic groups, which are automatically synchronized and kept up to date.

The company is closing a common gap in enterprise security measures by automating the process of deleting user accounts and privileges. 2024 Identity Security Outlook Report It found that 29% of businesses rely on manual processes to identify and disable orphan accounts, while 6% do not currently have a process in place.

Microsoft Corp. 2023 State of Cloud Permissions Risks Report said more than 60% of cloud identities are inactive and have not used any of the granted permissions in the last 90 days. These pose a security risk because if the credentials are compromised, an attacker could access applications and data under a default account.

Hundreds of integrations

Four-year-old ConductorOne has built integrations with a number of cloud and on-premises applications that make up its most popular use cases, said Alex Bovee, the company’s co-founder and CEO.

“While there are thousands and thousands of (software as a service) applications, the reality is that probably 50 of them account for 90% of the usage and are the biggest pain points,” he said. “We cover all the major SaaS and on-premises infrastructure systems, and most of these integrations support direct provisioning and deprovisioning.”

Direct provisioning grants specific access rights based on their roles or responsibilities. For applications that do not support this functionality, ConductorOne Thina framework that can be used to provision accounts.

Bovee said that while many directory services support RBAC and automatic provisioning, “they typically use Slim, and one of the limitations of that is that it tends to be group-based.” Group-based access can lead to granting more privileges than necessary, as users often inherit all permissions assigned to the group, even if they don’t need them.

It also creates a security risk known as “privilege creep,” where users accumulate excessive access rights over time. All members of a group typically receive the same permissions, and this does not account for unique responsibilities within the same role.

Bovee said achieving granular controls with group access requires defining controls at a granular level. For example, provisioning 100 Amazon Web Services Inc. cloud accounts with five roles each might require directory administrators to create 500 different groups.

“This is ridiculous,” he said. “Administrators don’t want to configure all this stuff. We’re cutting out the middleman by saying we can do the provisioning directly. Just tell us what access people need, and we’ll take care of it for you.”

The software tracks the status of individual users in a company’s HR system for removal and can trigger workflows when people change jobs or leave the company. It can also detect applications that have not been used for certain periods of time and trigger alerts to remove access, saving on software licensing costs.

Image: SiliconANGLE/DALL-E