This is a fascinating time to be in identity management. It’s a time when cybersecurity has never been more important, regulations around the world that affect data are growing and becoming ever more stringent, and the reliance of the enterprise on identity has never been higher. Since the European Union’s General Data Protection Regulation (GDPR) went into effect, both enterprises and regulators alike wonder what lies ahead.
To get a better sense of how identity has evolved, and where identity may be heading in this environment, we reached out to Chris Lyon, an expert in identity management with decades of experience in regulatory compliance at large financial services organizations.
George: Thank you for taking the time today. Tell us how you got started in identity management and regulatory compliance?
Chris: I was at an investment bank. It was after Enron and the enactment of Sarbanes-Oxley. Sarbanes changed everything. Overnight, our requirements for application re-certification went from 10 applications to 250. At the time I worked for an investment bank that was big on automation and the bank really, really disliked throwing people at any problem. This turned out to be a very good thing for everyone.
Still, we had our work cut out for ourselves, and so myself, my lead auditor, and my security person got to work. We rubbed our heads together and worked out how to automate this process. We started to look at the identity products available on the market at the time, but none of the vendors provided what we needed. We ended up building, probably, the world’s first automated re-certification tool that was linked into a provisioning process. To put this in context, we’re talking about 2002.
Since then, I’ve led evaluations between major identity vendors for large banks and have also implemented identity management programs at a number of large banks. More recently, I’ve also entered into the process of building a full end-to-end governance platform, which includes managing joiners, movers, leavers, toxic combinations, and re-certification.
That must have been a fascinating time to get started in identity management; there was so much to mature around data regulations.
Yes, and in Europe, we also had many other regulations underway. And we’ve had stronger privacy protection in the UK for quite some time. And now that GDPR is moving forward some people are getting concerned. GDPR is interesting because identity governance has a big role to play. GDPR doesn’t cover all of it, but a lot of the banks are already doing what GDPR requires them to do. In Europe, and in the UK in particular, we’ve had to meet most of the GDPR requirements for some time.
It comes down to security and protecting data as an effective answer, right? There are some additional facets such as the right to be forgotten and others that are unique to GDPR. I think the large financial institutions would be less concerned than startups and companies not accustomed to such high levels of regulation, but also have lots of personal information, and small security teams should be concerned. What are your thoughts on that?
When you take care of security first then compliance, to a large degree, takes care of itself. If you’re doing the right thing for security, onboarding properly and off boarding correctly, then you’re just certifying and reporting on the good process you already have in place. Ultimately, regulatory compliance is just a good set of ideas that your organization needs to hit. As a goal, regulatory compliance is a bit like ITIL (formerly Information Technology Infrastructure Library). When ITIL first came out, many organizations thought: Oh, we’re going to be ITIL compliant. Well, ITIL was never really a goal. It is a set of processes that they thought organizations should adopt and that organizations would choose to take the portions that worked for them.
Security is the same. There are some fundamental security controls that should be in place everywhere, and if you do those well when the eye of scrutiny does fall upon your organization for whatever reason, they’ll see that the organization has a reasonable handle on controlling risk.
That is a fascinating perspective. Looking back at the financial services companies that you’ve worked with, have they learned a lot of core things that needed to happen to be compliant with any set of regulations that come along.
All organizations talk about Sarbanes nowadays, but they talk about it in the context of what applications and services and infrastructure are within the scope of Sarbanes. Also, they have the same conversation about the European regulations, the US Federal regulations, the Singaporean regulations, and so on. All these financial mandates have a similar set of rules. There are many practical security issues handled in there.
It’s often a similar set of controls, but on different types of data. It could be controls on stock-related applications. It could be controls on financials, et cetera. There is a set of sensible, sane and similar security controls we should apply in the user access management and governance space to get us to a good enough posture. A posture that enables us to be reasonably confident that the access available is owned by the right people. This includes removing access in a reasonable time when people leave the organization, and that there is reporting in place to show that it’s actually happening.
That should be when people leave the organization; their access should go away in a reasonable time frame. That there is reporting in place that shows that’s happening. When people move around within the organization, their old access gets revoked, and their new access gets added, or somebody has eyes on that access and approves or denies that access.
The big one, especially at financial services organizations, is making sure that separation of duties is in place. This is where it gets exciting because separation of duties if done right, is actually where business intelligence and business process hits identity access governance.
That’s excellent advice. How do you think GDPR is going to unfold, especially in areas where enterprises have less mature controls over data access?
I think the general controls about who can access data and who can get data out of the organization are already in place. Companies that have been doing data protection type activities for any sort of time will likely have a reasonably robust set of controls in place already. They’ll have email monitoring looking for large or specific datasets going out. They’ll have controls on their internet gateways to make sure data can’t be uploaded to Dropbox or someplace like that. They’ll have their desktops locked down so that users can’t copy data to USB sticks. All of that control will be in place.
When it comes to less mature controls, we’ve two problems in the GDPR space. You’ve structured data, which is hopefully where most of it sits. So, databases and within applications. And, you’ve got your unstructured data. I think the challenge with unstructured is that we’ve lived in a world where historically, people could access databases directly, run reports, and extract that data into unstructured files, such as documents and spreadsheets.
Those files then were put onto file shares, and those file shares are littered to the hilt, with most large organizations having hundreds of terabytes, if not, petabytes of unstructured data. The problem set is so significant, that even making the most basic inroads is genuinely challenging.
Part of that is a communication disconnect. The business views it as an IT problem, and IT sees it as a business problem. They have to come together and work it out in partnership.
I think the data owners are going to have to accept that they are data owners. Today, a lot of them don’t. Once they are data owners, they’ll have to agree that it’s actually their risk, not IT’s risk, and that’s why they have a problem there. That relationship is never going to work well. The most successful approach in business is where the data owners understand that they own the risk and fund the risk management.
That’s the only way it will work today. Currently, most IT departments don’t have huge change or investment budgets. That’s the reality since the crash. IT no longer has the flexibility to invest millions of dollars in every new technology. Today, there needs to be a business sponsor somewhere that says: I see this as a problem. I’m going to sponsor this. I’m going to find the money to make it happen.