Charting Uncharted Waters: Comprehensive Identity Governance
Over the past two blogs in this series, I have explored the issues facing identity governance teams with the growing amount of sensitive data stored in files across the organization. Let’s quickly recap where we left off last time when we explored the three key reasons governing access to files is challenging.
- First, many organizations struggle with visibility to where sensitive data resides, who has access to it and how that access is granted.
- Second, there is generally a gap in ownership of unstructured data and the systems where it is stored. While IT may “own” the actual storage platform where files are located, the business must take ownership of the data and who should have access to it.
- And third, the quantity of unstructured data being stored in files is growing exponentially. This is the catalyst in many organizations that is driving the need for changing the way that access is being governed.
In the final installment of Charting Uncharted Waters, we will turn our attention to how organizations can extend their identity governance programs to address the unique security, compliance, and risk management requirements of data stored in files. Governing access to unstructured data such as documents, spreadsheets, and presentations is different than governing access to applications and platforms. However, you can start with the core concepts from your current identity governance program – visibility and control – and augment them to address the unique challenges posed by unstructured data.
Let’s start with visibility. Unlike a structured application environment, where you have an understanding of the access model and what type of information is stored in the system, file storage systems require a pre-processing step before we can gain the same level of visibility to who has access to sensitive unstructured data. You have to identify which files or storage locations (e.g., a folder on your file share) contain sensitive data. The best way to accomplish this step is to scan your file storage systems with an automated tool that can identify where you have sensitive data based on pattern matching (e.g., PII, credit card numbers, corporate financials) and user behavior (e.g., users from finance are accessing a particular file location). This allows you to quickly understand where you should focus your identity governance controls, and may identify where you have sensitive data stored in the wrong locations.
Once you have visibility to where your sensitive data resides, the next step is mapping out who has access to it and how that access is being granted. An indirect access model is generally used in conjunction with securing file storage systems. This means understanding who has access to a specific file storage location, which can be challenging to determine. Therefore, you should leverage an automated permission analysis process that maps direct and indirect access across all file systems, whether they are located on-premises in your data center or in the cloud. In this step, not only are you gaining valuable visibility to who has what access, but you’re also going to uncover access model issues such as defective AD group membership structures (e.g., broken inheritance or nested groups). This is a good time to clean up your AD environment that may be over-entitling users to access sensitive data and eliminate direct permissions to files in favor of a more scalable and stable model.
The final step before you begin applying your organization’s identity governance controls on your file storage systems is to identify owners within the business who can act as the steward for access. This is a critical step that many organizations overlook, and it’s the key to a well-functioning identity governance strategy for your file storage systems. SailPoint provides a unique approach to identifying and assigning the best data owner within the business to oversee identity governance activities for your sensitive data. Instead of using file access activity as the single basis for assessing ownership (because the most frequent user may not be the rightful owner), we leverage a crowd-sourced approach that identifies probable owners and then let’s the business select the best person to oversee access to sensitive data. This results in better alignment and oversight, which in turn improves security and reduces risk of inappropriate access.
So now that we have covered what’s different in governing access to sensitive data, you can focus on what’s the same. When you combine visibility to where sensitive data resides and who has access to it and how that access is granted with properly matched data owners, extending existing controls such as access request and access certification processes becomes significantly easier. Your goal should be to encompass all identity governance controls and processes within a single solution for your organization.
SailPoint provides the only comprehensive approach to governance access to all applications and all data for all digital identities. We start with IdentityIQ or IdentityNow to address access to applications and platforms. Then we leverage SecurityIQ to extend your identity program to govern access to files. It automates the discovery of where sensitive data resides in file storage systems (on-premises or in the cloud) and who has access to it and how that access is granted. Once you have visibility, SecurityIQ helps identify the right data owners to leverage in controlling access to sensitive data throughout each user’s lifecycle with the organization. SecurityIQ integrates with the other components of SailPoint’s Identity Governance Platform to enable 360-degree visibility overall all user access (applications and data), and consistent implementation of identity governance controls such as access certifications or approval processes. For more information on SecurityIQ, and SailPoint’s unique approach to comprehensive identity governance read Securing Access to Files with Identity Governance.