Largely fueled by increasingly globalized markets, cloud computing, and the continuous delivery of software, business today runs 24/7 and it doesn’t stop for anything. In addition to continuous cloud and app deployments, data sets are also being continuously created, managed and accessed. While this is helping business to be more effective, global and profitable — the data and app sprawl also creates more risk.
Much of this is driven by the sheer demand for new apps and digital services and the ease of which cloud services can be purchased by individual business units or workers. All anyone needs in order to deploy public cloud infrastructure, a SaaS service, or most every type of cloud resource are a few minutes of time and a credit card.
When apps, data, and cloud services are spread out, operated in silos and not governed by IT, risks rise. First, attackers and insiders gone rogue have a greater ability to slide through the radar unnoticed, it’s likely the apps and data will fall out of policy compliance, and it’s just as likely identities and access credentials won’t be properly maintained.
There are a number of ways organizations can go try to manage these risks. They can monitor their network traffic in order to identify rogue or unsanctioned applications and services, try to enforce strict policies requiring users go through the IT department, require staff to select from an approved list of cloud services providers. All of this, among many other options, can be good practices but they are never enough alone.
They’re just not. Good cloud governance requires identity governance. With the right identity governance capabilities in place, organizations can migrate to cloud while having visibility across cloud and on-premises systems so that users can stay within policy and security compliance, while compliance teams have insight into who is accessing what and where they are accessing it.
Identity governance is different from identity and access management in that identity governance is not only the ability to create, enforce, monitor and audit identity and access management but includes correlation of these identity and access management capabilities to compliance and the reporting of policy compliance.
What proper identity governance provides organizations is the ability to gather and enforce identity policy across disparate enterprise systems so that in can be centrally managed. They can gather information on access privilege and entitlements in specific applications and across today’s complex hybrid environments.
This improves data security and compliance across an organization.
Identity governance also helps mitigate insider risk by enabling monitoring across applications and identifying rogue users and those who have managed to gain access to systems they shouldn’t. This is how identity governance makes it harder for insiders who have gone wrong, or trusted employees whose credentials don’t reflect the access they should have, as well as outsiders attempting to pose as trusted insiders with stolen credentials. While not perfect, along with other forms of network and application monitoring, identity governance is a strategic part of any enterprises’ risk management and security program.
While the benefits of cloud – its ubiquitous availability and ease of use – are readily apparent, it also creates risks associated with application and data sprawl – which makes it easier for attackers to slide under the radar. One of the best ways to enjoy these benefits and mitigate the associated risks is identity governance.