It’s no secret that technology has come in leaps and bounds since the invention of the personal computer in the 80s. In the 90s we saw the World Wide Web burst onto the scene, shortly followed by the arrival of the iPhone in the early 2000s. Today, as we approach 2020, we’re facing biotech, blockchain, and bots.
With this technological evolution far from slowing down, enterprises across the globe now need to tackle the growing challenge of governing their workforces’ access to data amid the digital transformation.
Through all the handoffs of cybersecurity to protect people in organisations – from firewalls to access management to a solid identity governance program – many organisations are left confused on how to combat threats facing them and, unfortunately, more than a few myths have persisted. Hackers have become increasingly crafty in the past ten years, and now are targeting one of the most pivotal parts of an organisation: its people. To protect, you must educate. Let’s debunk some of these myths that have persisted for the last decade.
Myth #1: Provisioning will solve everything under the sun for my governance problems
For years, many provisioning solutions did a decent job of adding and deleting users. Today, they are not nuanced enough for legitimate governance. Not only do they lack the broad application coverage required to meet compliance, but they also struggle to report “who has access to what” and continue to be too technical for business users.
Granting or removing access does not address the more significant issue of security. Identity governance helps with automating provisioning processes through a governance-based approach. This approach will allow enterprises full visibility over their users, applications, and data to be able to answer the three paramount questions:
- Who has access to what?
- Who should have access?
- What are they doing with that access?
Myth #2: Role management is the key to solving everything
Ten years ago, Oasis was still a band, and the identity industry believed that role management was the cure for what ailed us. While it is true that role management can provide business context to simplify identity management, it is a means to an end but not the key to solving everything identity-related. Roles can be employed as components of identity governance solutions, when and where they are useful, but they are not the only requirement for strong enterprise security.
Myth #3: Identity governance doesn’t work with or in the cloud
Back in the day, legacy provisioning and identity management solutions were delivered entirely from on-premises and only managed on-premises systems. Enter cloud applications, storage, and infrastructure. Not only has cloud become the preferred method of deployment for many enterprise identity programs, but identity governance has evolved to ensure on-premises and cloud applications and data found in cloud storage are all governed in a consistent and efficient manner. Moreover, with the rapid adoption of cloud infrastructures, such as Amazon AWS and Microsoft Azure, enterprise organisations are also leveraging their identity solution to secure and govern access; protecting where some of the most valuable information is stored.
Myth #4: You only need identity governance if you’re subject to regulatory compliance
When the Sarbanes-Oxley Act (SOX) was first enacted, identity governance initially emerged as a new category of identity management to improve transparency and manageability within specific industries (i.e., manufacturing) to meet compliance regulations. Every organisation, regardless if you are subject to regulations, need to strengthen controls over access to sensitive data and applications.
To be secure, regardless of the ever-changing regulatory landscape, today’s organisations must put in place preventive and detective controls. These controls can protect all kinds of data – embedded in applications, stored on file shares and in the cloud, and even on mobile devices.
Myth #5: Not my problem! Identity governance is an IT issue
Eons ago, it was common for IT to be solely responsible for identity governance. Business application owners were not held accountable for compliance with internal controls, even though they understood how the systems were being used and which employees needed access to applications and data. As a result, IT shouldered responsibility for a set of risks that were actually business risks. Here’s what we know now: the business side of the house must assume some, if not all, ownership for identity governance and team with IT to ensure it is appropriately included in the organisation’s overall identity program.
Myth #6: Identity governance and security are separate
Identity governance and security are cut from the same cloth. According to an April 2018 Ponemon report, when it comes to data breaches, in most cases, it is the careless employee or contractor that is the root cause.
Enterprises have employees, but also contractors, suppliers, partners, and even software bots who require access to corporate data to collaborate or perform their job. Those users need to access more and more systems, applications and data than ever before, and many of them are interconnected. Identity enables organisations to know who has access to what, who should have access and also define how that access can be used. By having a 360-degree view of everyone’s access to every application, system, and file store organisations can further secure and prevent those pesky data breaches that are the bane of every organisation’s existence.
Myth #7: Identity governance is designed for large companies only
Enterprise organisations of all sizes need identity governance. The idea that identity governance is only intended for very large enterprises may have been right ten years ago, but today, organisations of all sizes experience fundamentally the same challenges, no matter their size.
If you peer into today’s organisation, identity is consumed and leveraged across a broad spectrum of organisations’ that range in size and industry focus. Identity is a crucial component to ensuring access to data—no matter where it resides—is well protected. However, identity is not only used for security reasons. With the growing wave of data privacy laws, notably GDPR, these organisations, big or small, are now all subject to one or more compliance regulation that requires them to implement and enforce access policies and also have a way to document and prove compliance.
Myth #8: Access management and single sign-on will solve my identity needs
Organisations are utilising access management to balance ease of use and authenticated access to a variety of cloud and on-premises applications from anywhere, on any device. While this enables users with the convenience needed today for 24/7 access, organisations must consider the bigger picture and take a more strategic approach to managing their identities.
To establish a truly secure environment, organisations must address identity governance to control and govern each user’s access after the single sign-on. By integrating identity governance with an existing access management solution, organisations can automate the governance controls needed to mitigate the risk of a security breach and enforce compliance policies, while managing the demands of today’s modern workforce.
Myth #9: It’s too difficult to show the return identity governance provides
Finally, the last myth is about driving a quick return on your investment when it comes to identity governance. The fact is identity governance is key to implementing policy-driven automation which can result in big cost and time savings.
According to Forrester, users forget their passwords about five times a year. If those users are required to call a help desk for manual assistance, this not only slows down user productivity but also incurs costs that stack up quick — a 15-minute help desk call to manually reset a password on average costs companies $30 a call. Depending on your organisation size, you can probably do the math pretty quickly and estimate an initial return. Other examples include streamlining employee Day 1 on-boarding as well as optimising access review and certification efforts from months to weeks.
Understanding the true power of identity
Even by debunking persistent myths, some may still believe that identity is just about governing access to specific applications or systems, but here’s one takeaway to not forget: identity is far more than access. Identity goes beyond the network, and ties into both endpoint and data security. It takes information from every piece of an organisation’s security infrastructure and ties it all together. Identity gives much-needed context to everything an employee, partner, supplier, contractor, etc. does to the entire enterprise infrastructure.
Identity is everything today. In this age of the digital transformation, the business world moves quickly, entails more types of applications and data, involves more types of users whose access needs close governance and is exponentially more complicated for IT to enable than ever before. By adopting an identity governance strategy that encompasses the entire organization, you can properly secure and govern your organization’s identities and their access. That’s the power of identity.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.