The Compliance Connection: The Role Of Identity Governance
In January, France’s data regulator fined Google almost $60 million, the biggest penalty issued by a European agency and the first instance of Europe’s General Data Protection Regulation (GDPR) being exercised. It’s unlikely to be the last, though, as governments and individuals increasingly expect stronger data security and privacy policies.
In a recent Forbes Insights survey of 200 senior technology executives, 85% said that GDPR will have an impact on their organizations. Business and security leaders now occupy a world with a long list of complex government and industry laws aimed at mounting security and privacy concerns. At the heart of these issues is data management—and that core priority comes down to identity and access: being able to inventory and analyze access privileges in real time for all users across the expanse of the enterprise, and being able to understand and verify who has access to what data, applications and systems—and when and why the user gained access.
The Challenge: Threats And Compliance
Chief information security officers (CISOs) and other IT leaders are facing more than a sophisticated threat landscape brought about by digital transformation: Powerful AI can now be weaponized (think autonomous botnets); workforces are increasingly mobile, accessing data, applications and systems from anywhere, at any time; and The Internet of Things (IoT) is expanding. The compliance landscape is an equal challenge, one that some leaders don’t fully understand. In fact, the Forbes Insights survey found that only 32% of surveyed executives see security and compliance as tied together—and almost 50% see them (mistakenly) as separate issues.
But security and compliance are not separate issues. Identity governance has emerged from the shadows to become a prime mover of these two imperatives for a very good reason. In an IoT world, with dispersed workforces, the perimeter around enterprises has become porous. The approach is zero trust—in other words, make no assumptions about the integrity of your organization among all workers, partners and other stakeholders. Security professionals are now keenly aware that the majority of breaches originate from privilege failures or abuse within the organization, but it’s challenging for them to ensure that workers and other users have a level of access in line with business and compliance policies.
The regulations already in place around data integrity and privacy are intended to prevent breaches and the behaviors that could violate consumer privacy or reduce the integrity of information assets. For that reason alone, enterprises have to secure an identity environment with tens or hundreds of thousands of actors. CISOs in financial services or healthcare, for example, are razor-focused on regulations like SOX (Sarbanes-Oxley) and HIPAA (Health Insurance Portability and Accountability Act), respectively. The consequences of not adequately managing user access increase risk well beyond breaches; they include sabotage, fraud, costly compliance violations and failed audits.
And yet, only 33% of surveyed executives realize that identity governance solutions provide proof of compliance for regulators. The reality is this: Enterprises that have a strong identity program in place will by extension gain control over the complex regulatory terrain under their feet. But how?
The Solution: Visibility And Balance
Knowing and controlling at all times who has access to what information—and when and why they accessed data—is the kind of transparency and risk management organizations need in order to protect themselves and remain in compliance. It’s all-seeing and sustainable, meaning it’s not a part-time or part-way solution; it’s integrated across the business and “always on.”
How do you achieve sustainable compliance? Begin with an assessment of your current state of readiness. Put all your user and access information into one repository (or data lake) and comb through the data to see what’s accurate. Resolve inconsistencies across all sources of identity data to gain a full, enterprise-wide picture of your access environment. You now have a baseline from which to eliminate inaccurate or inappropriate access privileges and continue certifications, enforcement, and the provisioning and de-provisioning of users. You’re gaining control over access.
Next, build an identity policy model from defined access policies, roles and risk parameters (to strengthen detection and prevention controls) so that it reflects the business and regulatory requirements facing your organization. Once you’ve built the model, you can automate your processes to detect threats or anomalies—and perform access reviews triggered by events, such as a position or manager change. Now your organization can scan identity data, analyze it and detect any issues. A complex environment becomes streamlined, enabling security leaders to clearly see potential risks—and act. You’re in full control.
Too many organizations focus on detection by rooting around for noncompliance issues, then fixing them. The best approach is a balanced one that includes preventive controls that keep compliance violations from seeping into the environment in the first place. The combination enables companies to reach a fully compliant state and stay there.
Becoming One: The Benefits Of Security And Compliance
Visibility and control come from seeing clearly into complex security arenas and anticipating what’s coming down the road. But you have to be able to repeat the detection and preventive—and resolution—processes. That’s what sustainable compliance means. An organization that can flag problems quickly, in an automated process, and immediately fix the issue in a documented and reportable way will benefit. Yes, the organization will avoid millions of dollars in fines and penalties, but it will also improve efficiency by replacing manual processes and adding self-service that lets managers and end users make changes on the fly. Security and compliance become one.
To learn more, read “Identity Governance: The Great Enabler.”