Explaining the Access-Trust Gap

You’d love your favorite sports team to have a perfect season, but you’re prepared for them to lose a few games.

Retailers want to sell their entire inventory, but they plan for a certain percentage of their goods to be damaged or stolen.

IT and security professionals try to ensure that only the right people can access their company’s resources, but acknowledge that some data will inevitably slip through the cracks.

These gaps are acceptable, until they are not.

When your favorite team loses all its games, it might be time for a new coach (or to stop being a Browns fan). If a store’s merchandise keeps getting shoplifted, they need a security guard. And if a company’s sensitive data keeps being accessed by unapproved users, devices, and apps, then their security stack might not be up for the job.

As you’ve probably guessed, we’re here to talk about that third example, which we call “The Access-Trust Gap.”

What is the Access-Trust Gap?

The Access-Trust Gap refers to the difference between the users, applications, and devices that a business trusts to access sensitive data, and those that can access it in practice.

Put another way: every company agrees that access to its resources should be restricted to the people who need it, and that even those people need to treat it carefully. These are the most basic tenets of security, and you can see them every day in the physical world; you don’t let some random person waltz into your bank vault, and you don’t let a bank teller take a duffel bag full of cash to the nearest bar.

In cybersecurity, however, determining trust and restricting access is much more complex, and that leads to a lot of unsanctioned access to sensitive data.

In the inner circle of the our Access-Trust graphic, you can see the types of access that are generally considered trustworthy because they are managed by a company’s IT team.

• In the case of devices, “trusted” means company-owned computers and phones that are usually managed via MDM, which can enforce certain security settings and remotely lock and wipe devices if needed.
• When we’re talking about users, trusted means employees whose access is centrally managed via an identity provider such as Okta, Microsoft, or Google.
• Trusted applications are those that are approved of and managed by the IT team, who can provision and deprovision users as needed.

Unfortunately for security, a lot of business takes place outside this trusted inner circle. Users often do work on their personal, unmanaged devices. Not all end users are employees at all – some are guests and contractors. And teams increasingly rely on “shadow IT” applications that IT doesn’t even know about.

To understand how this plays out in real life, imagine a chain of events in which:

1. A third party contractor
2. Uses their personal device to log into
3. An unapproved file-sharing application

Every element of this path presents risk. The contractor isn’t enrolled in Okta, so they can’t take advantage of its MFA for a secure sign-in. The contractor’s device isn’t managed by MDM and doesn’t have EDR installed, so it could be infected with malware. The file sharing application is known to be prone to breaches, so the sensitive data stored there isn’t really secure. Every issue snowballs on the next to create, well, a really big snowball of risk.

How big is the access-trust gap?

Research indicates that “untrusted” access is rampant in businesses across industries. 1Password’s State of Enterprise Security report found that over a third of workers use unapproved applications or tools for work, with tech workers leading the pack.

Meanwhile, a 2023 survey by Kolide found that 47% of companies allow their workers to access company resources on unmanaged devices.

So a little unscientific, back-of-the-napkin math tells us that something like half of companies have these vulnerabilities. (In reality, the number is probably bigger, because these problems are inherently invisible until something goes wrong.)

This seems bad. How did we get here?

There are two big factors that have widened the Access-Trust Gap in the past few years:

1. The proliferation of SaaS apps
2. The growth of hybrid work.

In the first case, the number of apps used by the average organization has exploded since the 2010’s. One study found that in 2015, the average company used 8 SaaS apps, by 2020 it had grown to 80, and by 2022 it was a whopping 130 apps. Moreover, workers increasingly seek out and purchase these apps without IT’s knowledge or approval. (That doesn’t mean your company isn’t paying for those apps, by the way, it just means that workers make a budget instead of an IT request.)

Ideally, you would want all these apps protected by SSO, so authentication is more secure and IT can manage identities from a central dashboard. Unfortunately, that’s extremely difficult to achieve even for the apps you do know about, given the dreaded SSO tax that frequently makes this feature unaffordable.

The other factor at play here is the growth of a “work-from-anywhere” culture, which had been building for a while, but got a major pandemic boost. When workers left the office, many companies adopted BYOD policies, or simply accepted that they couldn’t stop users from working on their preferred, personal devices. And why couldn’t they stop them? Because of all those SaaS apps that you can log into from any device, without needing to be on a corporate network or VPN.

Thus, you can see that these three seemingly disparate problems: unsecured identities, apps, and devices, are really all part of the same phenomenon. Three sides of the same extremely wonky coin, if you like – or maybe, three heads of the same fearsome dog.

Closing the Access-Trust Gap

Let’s be clear: there is more than one way to address the problems we’ve just gone over.

For example, you could:

• Eliminate BYOD by buying everyone a company-owned phone and laptop
• Roll out VDI or similar software for third-party contractors to control their access
• Put every application behind SSO
• Manage employee devices to the degree that they are unable to access any application or website not approved by IT.

The problem with those tactics is that they are extremely expensive, labor intensive, and damaging to productivity and worker experience.

So, for the remainder of this section, we’re going to talk about how 1Password solves the Access-Trust Gap through 1Password®️ Extended Access Management (XAM). As you might guess from the name, our approach is based not on eliminating all the forms of access that fall outside traditional solutions, but extending protection to them.

Devices

Your goal here is to ensure that only devices that are known (associated with an employee) and secure (in a compliant state) can access your company’s resources. This basic concept is known as device trust.

To accomplish this, you have basically two options:

1. Ban BYOD. Prohibit any unmanaged device from authenticating to your systems.
2. Secure BYOD. Allow unmanaged devices to authenticate, but only if they meet your security requirements (updated software, firewall turned on, etc.).

Regardless of which route you take, 1Password Extended Access Management can help you get there. Our device trust solution makes the device itself into an authentication factor, so if a device doesn’t have the agent installed, it can’t log into the company’s apps. That means a bad actor with stolen employee credentials is out of luck unless they also have that employee’s device.

If you want to eliminate BYOD, you could make a device being enrolled in MDM a requirement for authentication, and lock out personal devices.

Alternatively, you can use device trust to manage devices outside the scope of MDM. Unlike MDM, XAM device trust can go onto personal and contractor devices, because it allows the user to maintain much more agency over their device, and (deliberately) does not have the ability to remotely wipe devices.

That being said, device trust has a lot to offer for endpoints that are enrolled in MDM. It provides admins with much more comprehensive and customizable abilities to check for various device properties. 1Password Extended Access Management includes a library of over 100 pre-built checks, plus the ability to write custom checks. By contrast, MDM solutions can only manage a few types of issues.

An end user’s laptop can be enrolled in MDM and still be running an unpatched browser, using unsecured software, and have plaintext credentials sitting in its hard drive. Device trust, on the other hand, would not permit a user to authenticate until they have fixed these issues.

In conclusion, there’s a bigger argument to be had as to whether those managed devices in the inner circle of the access-trust graphic should really be considered “trusted” at all, but for now, let’s move on to the other elements of 1Password Extended Access Management.

User identities

Here the goals are threefold:

1. Ensure with a high degree of confidence that a user is who they claim to be – let’s call that secure authentication.
2. Easily grant and revoke access so workers have the resources they need, but avoid excessive permissions, AKA role-based access control (RBAC).
3. Quickly and easily grant and remove access when someone joins or leaves the company, AKA onboarding/offboarding.

In both cases, your most useful tool is single sign-on (SSO), but as we’ve discussed, managing those integrations can be difficult and cost-prohibitive.

1Password Extended Access Management approaches this problem from multiple angles. User identity allows you to apply SSO to your apps and enable Universal Sign-On for your end users. This is ideal for small or new companies who haven’t signed onto an IAM solution like Okta or Microsoft Entra, and need a more streamlined and affordable way to manage access.

You can also use user identity to centrally manage access for third-party contractors – assign them to a group and only grant that group access to specific apps.

User identity also integrates with other IdPs so, for example, if you remove someone from your Google instance, that will automatically revoke their permissions via 1Password Extended Access Management, as well.

Another key way of securing access is through the 1Password Enterprise Password Manager (EPM), the product we’re best known for. An EPM shores up authentication, especially on apps for which SSO is incompatible or unaffordable. It ensures workers are using secure, unique passwords, as well as enabling more secure forms of authentication, such as passkeys.

Applications

Finally, you need to get visibility into the applications end users employ for work. That in itself is a huge challenge, because you have to collect relevant data without accidentally scooping up information about an employee’s personal apps. But your overall goal, much like with devices, is to ensure that only apps that are known and secure can access your company’s resources.

Once you’ve identified the apps employees use for work, you can do three things:

1. Ban unsanctioned shadow IT that you have determined to be a security risk or a financial burden.
2. For Shadow IT apps you don’t object to, implement SSO to make them more secure.
3. For both managed and unmanaged apps, eliminate unnecessary access for licenses that are going unused.

The first two goals here are primarily about security, while the third is more about budget. Although users who maintain access to resources after they no longer need it can lead to data breaches, most notably in the Drizly hack.

1Password Extended Access Management enables administrators to accomplish all three goals by flagging work-based apps being used and surfacing that list to admins, indicating whether those apps are being managed by SSO, who is using it, and how often it’s actually being used.

Conclusion: Mind the gap

As we said in the introduction, gaps are acceptable until they’re not. Once a gap becomes so wide that it’s more of a canyon than a crack, people start getting worried and writing blog posts.

We’ve now lived through years of preventable data breaches stemming from weak credentials, unsecured devices, and shadow IT – so much so that even the annual Verizon Data Breach Investigation Report is starting to sound a little fed up.

Clearly, the Access-Trust Gap is something we can no longer live with. Thankfully, with 1Password Extended Access Management, we don’t have to.

To learn more about how 1Password Extended Access Management can help close the gaps in your security stack, reach out to us here.

Elaine Atwell

Manager of Content Marketing