Each spring, identity professionals come together for the annual Gartner IAM Summit in London to learn about new trends and vendor solutions, and to network with other like-minded individuals. This years’ event was rich with insights from Gartner, vendors and organizations who shared their own challenges, solutions and best practices.
Last week, SailPoint had the opportunity to poll identity professionals to understand their top three key identity program priorities. While the findings are consistent with past years, what is fueling and underpinning these priorities has evolved. The top three priorities are as follows: 1) automating manual processes, 2) addressing stringent compliance issues such as GDPR and 3) evolving from outdated legacy systems and infrastructure to adopt modern identity solutions.
Priority 1 – Automating manual processes
As surprising as it may sound, there are many organizations, large and small that are still conducting some or all their identity efforts via Excel spreadsheets, manual tasks and scripts. As I spoke with these people, it is apparent that this is due to perceived cost savings – do it by hand so that an investment in technology is avoided. However, these organizations are now realizing the actual cost of manual processes far exceeds that of investing in an identity governance solution. An identity governance solution not only automates IT-related tasks such as provisioning/de-provisioning, password resets and access certifications It also allows for role-based logic to ensure the right activity is performed for each identity. It reduces IT burden and ensures activities are repeatable and consistent across the organization while providing an easy and intuitive user experience.
Priority 2 – Addressing compliance issues such as GDPR
Compliance is not a new topic, however with GDPR now coming into effect in 2.5 months, regulatory constraints are creating a reality check for many organizations worldwide. While there are still facets of GDPR that many are still trying to understand, including balancing the requirements of data retention with GPDR’s right to be forgotten, the fact remains, organizations need to ensure they know where sensitive EU-citizen data resides, control user access to it and demonstrate proof of compliance. To help ease GDPR compliance pressures, organizations today are looking to integrate identity governance with their preferred privileged account management solution to get a 360-degree view of all user access from one pane of glass. This helps them see and understand who has access to sensitive information residing in critical organizational databases/systems and apply appropriate access controls to mitigate risk of breach.
In addition, organizations are realizing one of their biggest GDPR blind spots resides within unstructured data and files that can be found across cloud file shares (think SharePoint, DropBox, Google Drive, etc.…) and traditional on-premises file folders found on NAS devices and servers. Typical reports and documents such as PowerPoint presentations and Excel spreadsheets can often contain sensitive information that has been exported from protected databases. These documents are then distributed to others and the result is an ever-growing attack vector. By extending identity governance to also include files and folders, organizations are realizing they can get better visibility into where sensitive information resides and clean up the messy AD permissions (which I lovingly refer to as ‘spaghetti access’), as well as establish appropriate processes and controls that align with the rest of their identity governance program.
Priority 3 – Evolving from outdated and legacy systems and infrastructure
Organizations continue to embrace digital transformation which includes adoption of cloud-based applications and systems. Cloud adoption spans leveraging cloud-based business applications, such as Office 365 and Workday, to moving workloads off of on-premises data centers to more scalable and elastic cloud infrastructures including Amazon AWS and Microsoft Azure. When it comes to identity, organizations must be able to ensure access can be managed and governed across a hybrid infrastructure which includes legacy on-premises systems and newly adopted cloud resources. In addition, as infrastructures are being moved to the cloud, having flexible options to deliver their identity governance program is important. Cloud-based deployment options that are being adopted include a turn-key SaaS-based service, hosted in a public cloud platform and leveraging the expertise of a managed service provider.
Overall, one thing is clear – identity has evolved from an IT productivity tool to a strategic component of a security and compliance program. While there are aspects of it that continue to serve, and enhance an organization’s efficiency needs, most look to identity for its ability to serve as the ‘connective fabric’ across their organization, which as a result enables enterprises to grow and innovate, in a secure and efficient manner.