A field guide to bad permissions part 4: policy-violating permissions

The migration of data and infrastructure to the cloud has increased the scale, scope, and complexity of identity security. However, traditional tools for identity security and governance have not evolved significantly from the on-prem era, leaving security teams struggling to manage risky permissions that can empower attackers when identities are compromised. This article discusses policy-violating permissions, which violate aspects of a company's data or security policies and may threaten compliance with regulatory frameworks. Examples include segregation of duties violations, sovereignty violations, and misconfigured identities. Companies found not to be complying with frameworks like Sarbanes-Oxley (SOX) face penalties from enforcing agencies, loss of business, reputational damage, and increased scrutiny from regulators. Policy-violating permissions often go unnoticed due to a lack of visibility into the true permissions identities have, vague or inaccurate group/role names, incomplete metadata, and siloed data. Veza's Authorization Graph can help enforce segregation of duties by linking any identity to its granular permissions across SaaS apps, cloud infrastructure, and custom apps. It also provides comprehensive identity and resource metadata and highlights missing key metadata like location or department.