In my recent conversation with security journalist and blogger George Hulme, we discussed a number of technology trends currently disrupting enterprises, including the accelerating adoption of enterprise software-as-a-service applications, mobile devices, cloud storage, and collaborative tools. Specifically, we spoke about the fact that much of this adoption occurs without the knowledge and the control of traditional security and IT teams.
In this post, I’d like to go a little deeper into what’s behind these trends and explore how identity governance can help mitigate the risks associated with them.
These key trends are driving an outbreak of new applications and technology in the enterprise. Employees want to be as productive as possible and get their work done as quickly as possible. This often means procuring the applications and cloud services they need directly, without any guidance from IT or the knowledge of security teams. In many organizations, because convenience is a higher priority than control, it’s safe to assume that many of these cloud applications and services are brought into the enterprise without the same level of scrutiny that was typical of pre-cloud era applications. Business owners often aren’t willing to wait on IT when they can purchase a “helpful” application on their corporate credit card.
I believe there are a number of reasons why these technology trends are not going to slow down anytime soon. For starters, there’s a low barrier to entry for enterprise employees to procure these cloud services because they do not require a large capital expenditure budget approval; indeed, in many cases, they are so inexpensive that these expenditures are completely invisible in a lot of organizations. Although the organization may not see it, all of these IT costs are buried under the surface throughout the organization and “hidden in plain sight” within expense accounts.
Of course, this behavior creates significant risks for any organization. The most pronounced is the organization’s noticeable loss of visibility and oversight into these applications and their data. Organizations don’t know where their data resides, who can access that data, who has accessed that data, or even the level of sensitivity or value of the data that’s “out there.”
We identified these challenges, associated with both data and applications, as two of our three New Frontiers in Identity Governance. Furthermore, the rapid adoption of cloud services has also helped fuel the boom of unstructured data because so much data is stored and consumed on collaboration platforms such as SharePoint or on cloud storage platforms such as Dropbox and Box.net.
So, how can enterprises obtain a better level of control? Organizations essentially have two approaches they can take in an attempt to gain governance over their applications and data. To use an old metaphor, they can either lean more toward using a stick or a carrot as a way to gain more visibility and control over applications and data.
When using a stick approach, organizations might attempt to take a firm level of control and permit access to only IT-approved cloud services. IT can enforce their policies by monitoring employees’ access and blocking any unauthorized access, as necessary. While these organizations may achieve some level of success by forcing their staff to adhere to the policy and always work through IT to get the resources they need, it’s unlikely that this approach will fly in many organizations, due to the pressure the business owners feel to move quickly to stay competitive.
An alternative, more “carrot-like” approach may be more realistic and constructive. Organizations can monitor their environments and identify the applications and cloud services staff are actually using. As they identify which applications are running in their environment, they can then bring those applications under the fold of their centralized IT control mechanisms. This way, the applications employees want to use will be allowed, and IT and security teams will gain the visibility they need. As a bonus, the organization will likely remain productive and innovative, as it’s always true that those on the front lines tend to have the best grasp of the right tools for the job.
As organizations adopt these new technologies, while trying to maintain control, it’s critical to bring all of these new applications into the organization’s identity governance program. This makes for not only a happier and more productive workforce, but also a more secure and compliant one: Employees get to use the tools that help them do their best work, while ensuring that all of the security and compliance benefits provided by identity governance are in place.