Cyber Today: Governing Identity

Almost half of data breaches today involve lapses in access privileges. Think about the sheer number of events that occur every minute around user access—human and non-human, in-office and remote, across a landscape of partners and vendors—and the immense challenge of identity governance becomes crystal clear.

A Forbes Insights/SailPoint survey reveals the importance of identity governance in today’s shape-shifting cybersecurity environment. Aside from access privilege abuse, a third of breaches involved orphaned accounts granting access to systems without valid users. And bots contributed to a fifth of events. Before digitized data and digital platforms, securing identity and access was largely an effort guided or executed by humans. Now, machine learning systems are the best way to monitor the flood of new entities.

Leading-edge activity is happening in identity access management, and the biggest driver of these changes is the introduction of data science into what has been largely an administrative task—specifically about models that apply to behavior and allow us as an enterprise to make decisions based on specific parameters in real time without human intervention.

Keeping An Eye On Bots In The IoT Age

Yes, the bots are here. And so are billions of connected devices. But it’s only the beginning. Over 50 billion devices will be connected by 2020, and some 73% of organizations are using the Internet of Things (IoT) to improve areas of their business, such as improving products and decision making. This means even more new devices, agents and programs are entering or influencing the enterprise environment. The big question in cybersecurity is how to seamlessly adopt these new entities into an existing identity governance program so they can function securely and productively.

The risk facing security leaders is the bot or robotic process that continues to process transactions without appropriate context or without the right timing. If the data isn’t put into the database and those processes are working on data from the day before, the downstream effect is significant—you can have issues with data quality, integrity and availability.

Identity governance must incorporate new and expanding sets of entities, first by determining where the range of devices, agents and programs fall within the potential threat level. Bots are not human, of course, but they do access data and make decisions on that data. The IoT can’t evolve without applying existing identity models and modifying them accordingly, based on the threat. This is why some are calling this imperative the Internet of Identity.

Deployment And Leadership

The Forbes Insights/SailPoint survey reflects the importance identity governance has acquired in the digital age. Just over 50% of companies have deployed an identity governance solution that can monitor access for every identity—human and non-human—across an entire enterprise. Almost every other organization in the survey (44%) has a program under development.

And yet more needs to be done to bring the C-suite completely in line with cybersecurity efforts, including identity governance. Only 47% believe their senior leaders see cybersecurity as an enterprise-wide priority despite the fact that their IT leaders place security at the forefront of business objectives. The risk touches on all aspects of a business: 68% say their organization has lost customers as a result of cyberattacks—and 54% report that the attacks were the result of exploited user access privileges. And over half believe they are vulnerable to cyberattacks.

Gary Eppinger, chief information security officer and corporate privacy officer at Carnival Corporation, which owns nine cruise line brands, says leadership is a central component of a comprehensive solution. “Cyber is highly integrated in senior leadership within IT, but also at the business layer,” he says, describing an environment where IT security is part of the business discussions and strategies among group presidents. Above all, there’s awareness that securing identities and data is an enterprise issue with enormous relevance to each brand. He continues: “What we do know is that if we don’t work in a secure manner, it will come back to impact our brand reputation.”

To learn more, read “Identity Governance: The Great Enabler.”


Discussion