A case of mistaken identity: nine identity governance myths we must put to rest
April 1, 2019
Jackie Brinkerhoff, Senior Director Product Marketing at SailPoint outlines nine identity governance myths we must put to rest
Technology has exposed us to both more opportunities and more dangers than we ever thought possible. The internet has changed the face of the modern workplace. What used to be stored on a physical computer database is increasingly being moved to the cloud, where it can be accessed by anyone at any time so long as they have the right credentials.
Yet, while the world wide web has made information more accessible and communication more efficient, it has also opened the door to new vulnerabilities and entities looking to exploit them.
Across the globe, technology continues to transform the face and shape of every organisation. This evolution has swept through organisations the world over — big and small — in a process known as the digital transformation.
It may sound like the buzzword du jour, but this metamorphosis has been and continues to be a challenge for enterprises. This is particularly true when it comes to governing identity and access management.
Through all the handoffs of cyber security to protect people in organisations – from firewalls to access management to a solid identity governance programme – many organisations are left confused on how to combat the threats facing them and, unfortunately, more than a few myths have persisted.
Hackers have become increasingly crafty over the last ten years, and now are targeting one of the most pivotal and vulnerable parts of an organisation: its people.
To protect, you must educate. Let’s debunk some of these myths that have persisted for the last decade.
Myth #1: You can solve everything with role management alone
Ten years ago, Oasis was still a band, and the identity industry believed that role management was the cure for what ailed us. While it is true that role management can provide business context to simplify identity management, it is a means to an end but not the key to solving everything identity-related.
Roles can be employed as components of identity governance solutions, when and where they are useful, but they are not the only requirement for strong enterprise security.
Myth #2: Provisioning is the silver bullet for governance issues
For years, many provisioning solutions did a decent job of adding and deleting users. Today, they are not nuanced enough for legitimate governance. Not only do they lack the broad application coverage required to meet compliance, but they also struggle to report “who has access to what” and continue to be too technical for business users.
Granting or removing access does not address the more significant issue of security. Identity governance helps with automating provisioning processes through a governance-based approach. This approach will allow enterprises full visibility over their users, applications, and data to be able to answer the three paramount questions:
Who has access to what?
Who should have access?
What are they doing with that access?
Myth #3: It’s IT’s responsibility to handle identity governance programmes
Eons ago, it was common for IT to be solely responsible for identity governance. Business application owners were not held accountable for compliance with internal controls, even though they understood how the systems were being used and which employees needed access to applications and data.
As a result, IT shouldered responsibility for a set of risks that were actually business risks. Here’s what we know now: the business side of the house must assume some, if not all, ownership for identity governance and team with IT to ensure it is appropriately included in the organisation’s overall identity program.
Myth #4: Security and identity governance aren’t really related
Identity governance and security are cut from the same cloth. According to an April 2018 Ponemon report, when it comes to data breaches, in most cases, it is the careless employee or contractor that is the root cause.
Enterprises have employees, but also contractors, suppliers, partners, and even software bots who require access to corporate data to collaborate or perform their job. Those users need to access more and more systems, applications and data than ever before, and many of them are interconnected.
Identity enables organisations to know who has access to what, who should have access and also define how that access can be used. By having a 360-degree view of everyone’s access to every application, system, and file store organisations can further secure and prevent those pesky data breaches that are the bane of every organisation’s existence.
Myth #5: I don’t need identity governance, access management can handle all of my security needs
Organisations are utilising access management to balance ease of use and authenticated access to a variety of cloud and on-premises applications from anywhere, on any device. While this enables users with the convenience needed today for 24/7 access, organisations must consider the bigger picture and take a more strategic approach to managing their identities.
To establish a truly secure environment, organisations must address identity governance to control and govern each user’s access after the single sign-on.
By integrating identity governance with an existing access management solution, organisations can automate the governance controls needed to mitigate the risk of a security breach and enforce compliance policies, while managing the demands of today’s modern workforce.
Myth #6: You can’t apply identity governance in cloud applications
Back in the day, legacy provisioning and identity management solutions were delivered entirely from on-premises and only managed on-premises systems. Enter cloud applications, storage, and infrastructure.
Not only has cloud become the preferred method of deployment for many enterprise identity programs, but identity governance has evolved to ensure on-premises and cloud applications and data found in cloud storage are all governed in a consistent and efficient manner.
Moreover, with the rapid adoption of cloud infrastructures, such as Amazon AWS and Microsoft Azure, enterprise organisations are also leveraging their identity solution to secure and govern access; protecting where some of the most valuable information is stored.
Myth #7: Identity governance is only used in highly regulated industries
When the Sarbanes-Oxley Act (SOX) was first enacted, identity governance initially emerged as a new category of identity management to improve transparency and manageability within specific industries (i.e., manufacturing) to meet compliance regulations. Every organisation, regardless if you are subject to regulations, need to strengthen controls over access to sensitive data and applications.
To be secure, regardless of the ever-changing regulatory landscape, today’s organisations must put in place preventive and detective controls. These controls can protect all kinds of data – embedded in applications, stored on file shares and in the cloud, and even on mobile devices.
Myth #8: Identity governance isn’t designed for smaller companies
Enterprise organisations of all sizes need identity governance. The idea that identity governance is only intended for very large enterprises may have been right ten years ago, but today, organisations of all sizes experience fundamentally the same challenges, no matter their size.
If you peer into today’s organisation, identity is consumed and leveraged across a broad spectrum of organisations’ that range in size and industry focus. Identity is a crucial component to ensuring access to data—no matter where it resides—is well protected.
However, identity is not only used for security reasons. With the growing wave of data privacy laws, notably GDPR, these organisations, big or small, are now all subject to one or more compliance regulation that requires them to implement and enforce access policies and also have a way to document and prove compliance.
Myth #9: Proving the ROI on identity governance is too difficult
Finally, the last myth is about driving a quick return on your investment when it comes to identity governance. The fact is identity governance is key to implementing policy-driven automation which can result in big cost and time savings.
According to Forrester, users forget their passwords about five times a year. If those users are required to call a help desk for manual assistance, this not only slows down user productivity but also incurs costs that stack up quick — a 15-minute help desk call to manually reset a password on average costs companies $30 a call.
Depending on your organisation size, you can probably do the math pretty quickly and estimate an initial return. Other examples include streamlining employee Day 1 on-boarding as well as optimising access review and certification efforts from months to weeks.
Even by debunking persistent myths, some may still believe that identity is just about governing access to specific applications or systems, but here’s one takeaway to not forget: identity is far more than access.
Identity goes beyond the network, and ties into both endpoint and data security. It takes information from every piece of an organization’s security infrastructure and ties it all together. Identity gives much-needed context to everything an employee, partner, supplier, contractor, etc. does to the entire enterprise infrastructure.
In today’s digital economy, identity matters. As business continues to evolve and bridge new frontiers, security must not be left behind. This will take new thinking and fresh approaches to identity management. Our solutions must constantly validate the identity of those accessing our applications and data.
Instead of letting a single attribute, such as a password, determine your level of trust, build trust organically by asking questions. The better you know them, the more you can trust, and ensure the access you grant is both appropriate and visible. Increasingly, it’s the only precaution for keeping businesses safe and secure.
Ben Bulpett, EMEA Director, SailPoint, explores how organisations can safeguard against the insider threat. Today, a job is no longer for life. Job hopping, second careers and the ‘portfolio’ career are all …
Andy Cory, IAM lead consultant at KCOM, demonstrates how to build the customer relationship with identity and access management. From a security perspective, sign-in processes and log-in pages can seem …