This post first appeared on Risk Management Magazine. Read the original article.
A successful identity governance program answers the following questions: Who has access to what? Who should have access to what? And how is that access being used? Much of the identity governance landscape we see today stems from the late 1990s, when many organizations began to automate the provisioning of staff to the internal applications and resources needed to do their jobs. It was a challenge then, and is considerably more complex now as hackers increasingly target an organization’s people.
In today’s constantly-changing, hybrid IT environment, identity is the only thing tying a user to their different devices, applications, data and activity within the organization. If IT teams can employ a comprehensive identity governance strategy to have full visibility and control over the identities in their organization—including users’ access to applications and data—they will be well on their way to securing their organizations. Yet, despite the wide range of cybersecurity measures implemented over the years, more than a few myths persist around identity governance that need to be dispelled.
Provisioning will solve all governance problems.
For years, many provisioning solutions did a decent job of adding and deleting users. Today, they are not nuanced enough for legitimate governance. Not only do they lack the broad application coverage required to meet compliance, but they also struggle to report on who has access to what and continue to be too technical for business users.
Granting or removing access does not address the more significant issue of security. Identity governance helps with automating provisioning processes by allowing enterprises full visibility over their users, applications and data so they can understand who has access to what and what they are doing with that access.
You only need identity governance if you are subject to regulatory compliance.
When the Sarbanes-Oxley Act was first enacted, identity governance emerged as a new category of identity management to improve transparency and manageability within specific industries to meet compliance regulations. But every organization, regardless of whether it is subject to regulations, needs to strengthen controls over access to sensitive data and applications.
To be secure today, organizations must put in place preventive and detective controls. These controls can protect all kinds of data, whether embedded in applications, stored on file shares and in the cloud, or on mobile devices.
Identity governance is an IT issue.
Once, it was common for IT to be solely responsible for identity governance. Business application owners were not held accountable for compliance with internal controls, even though they understood how the systems were being used and which employees needed access to applications and data. As a result, IT shouldered responsibility for a set of risks that were actually business risks. Now, we know the business side of the house must assume some, if not all, ownership for identity governance, teaming with IT to ensure it is appropriately included in the organization’s overall identity program.
Identity governance and security are separate.
Identity governance and security are cut from the same cloth. According to an April 2018 report by the Ponemon Institute, a careless employee or contractor is the root cause in most data breach cases. Enterprises have employees, as well as contractors, suppliers, partners and even software bots who require access to corporate data to collaborate or do their job. Those users need to access more systems, applications and data than ever before, many of them interconnected. Identity governance enables organizations to know who has access to what and who should have access and to define how that access can be used. By having a 360-degree view of everyone’s access to every application, system and file store, organizations can further secure data and prevent costly breaches.
Identity governance is only designed for large companies.
Today, identity is consumed and leveraged across organizations that range broadly in size and industry focus. Identity is a crucial component in protecting access to data, no matter where it resides. Identity is not only used for security, however. With the growing wave of data privacy laws like GDPR, organizations of all sizes are now subject to one or more compliance regulations that require them to implement and enforce access policies and have a way to document and prove compliance.
Access management and single sign-on will solve my identity needs.
Organizations utilize access management to balance ease of use and authenticated access to a variety of cloud and on-premises applications from anywhere, on any device. While this gives users the convenience needed for 24/7 access, organizations need to take a more strategic approach to managing their identities.
To establish a truly secure environment, organizations must control each user’s access after the single sign-on. By integrating identity governance with an existing access management process, organizations can automate governance controls to mitigate the risk of a breach and enforce compliance policies, while still managing workforce demands.
It is too difficult to show the return identity governance provides.
Identity governance is key to implementing policy-driven automation that can provide big cost and time savings. According to Forrester, users forget their passwords about five times a year. If those users are required to call a help desk for manual assistance, this not only slows down user productivity but also incurs costs that mount quickly—a 15-minute help desk call to manually reset a password costs companies an average of $30 a call.
The Power of Identity
Successfully managing risk starts with a strong identity governance program. Identity is critical to business success as more organizations embrace digital transformation. Today’s business world uses more types of applications and data, involves more types of users whose access needs close governance, and is exponentially more complicated for IT to enable than ever before. What once was straightforward has become a giant, inter-connected ecosystem creating a web of access points and connections.
Through all this activity, digital transformation can create potential challenges, but identity governance can help ensure organizations stay secure and compliant, while enabling new opportunities to innovate and operate with greater agility.