As years have gone by, technology has advanced and the threats enterprises face have changed, there’s also been a paradigm shift that affects how organizations protect themselves. When firewalls and physical perimeters used to be enough, now the attack vector of choice for hackers has become the most prevalent point of access in an organization: people. And so new methods of protection arose such as provisioning and access management. But amidst all the change, many organizations were left confused about just how to combat the threats facing them.
Over the past decade, the identity governance space has evolved and matured, changing with the world around it. But some myths have persisted, and these misconceptions have, in some cases, been misleading organizations on how they should be protecting themselves:
Identity governance and security are separate.
With all the pieces necessary to keep access to sensitive corporate resources secure, it’s easy to tick the boxes of access management, provisioning, network perimeter, etc. and think your security will handle anything the world has to throw at it. But the unfortunate truth is that many of the risks you think you’re protected against actually come from inside the organization. According to Risk Based Security, “The vast majority of incidents are attributable to malicious actors outside of the organization, yet more and more sensitive data is exposed when insiders fail to properly handle or secure the information.”1
The insider threat – your users either maliciously or negligently misusing their access to your corporate resources – is just one area where identity governance can help. As the central part of your security environment, identity governance can mitigate many risks (including insider risk) and better secure your sensitive applications and data.
Access management and SSO will solve my issues.
Put simply, access management and single sign-on are not identity governance. While those two technologies help grant access to users, they do not have the nuanced controls necessary to truly protect sensitive information and avoid potential risks.
Here’s an example: a salesperson needs access to Salesforce, Workday and his company’s homegrown commissioning tool. While access management and SSO could grant him access and let him easily log into all three, it does nothing to prevent him from seeing more than he should. Identity governance can set the rules so he can view his paystub, benefits and commissions, but prevent him creating or approving new commissions. Bottom line: identity governance is about making sure each person has exactly the access they need to do their jobs without causing risk to the company.
It’s too difficult to show ROI for identity programs.
Showing the return on any investment, technology or otherwise, can sometimes prove difficult. Identity governance programs are no different, especially as they can assist in saving both hard and soft costs. Automation and self-service capabilities are large parts of a successful identity program and can give organizations benefits such as:
- Enabling users to reset their passwords without the assistance of the helpdesk.
- Ensuring new hires are productive on day 1
- Automating access requests from users for both data and applications
- Provisioning access automatically based on user role changes, including termination
- Re-certifying correct access for every user on a regular basis, without resorting to using manual methods such as spreadsheets.
After implementing automation and self-service capabilities in their identity programs, organizations have been able to save both time and money – one Fortune 500 manufacturer was able to save $1m in one year in eliminated helpdesk calls alone.
Identity governance is designed only for large companies.
While it may seem compliance with regulations is only a problem for large, international companies, the truth is that regulations, such as GDPR and CCPA, affect every enterprise organization, in every industry and at every size. No matter what, organizations need to strengthen controls over access to their sensitive data and applications. And as we’re now hyper-aware, the risk to organizations is broader and deeper than just the financial systems on which regulations like SOX are focused.
In order to be secure, regardless of any regulations to which they may be subject, today’s organizations must put in place preventive and detective controls. These controls can protect all kinds of data – embedded in applications, stored on file shares and in the cloud.
Identity governance is an IT issue.
Years ago, it was common for organizations to give responsibility for identity governance to the IT department. Business application owners were not held accountable for compliance with internal controls, even though they understood how the systems were being used and which workers needed access to applications and data. As a result, IT shouldered responsibility for a set of risks that were actually business risks. What we now know is that the business side of the house must assume some, if not all, ownership for identity governance.
Business managers are best qualified to define and enforce policies and controls that minimize access risks. IT staff can support and assist these efforts, but they cannot own the process. The side effect of this is that identity governance can actually empower business users to do their jobs more effectively, as well as securely. Instead of spending countless hours certifying who should have access, waiting for the helpdesk to reset a password, and other efficiencies that can be gained through identity governance, users can reclaim time (and help the organizations to recoup cost).
The Power of Identity
Some may believe identity is just about governing access to certain applications or systems, but identity is more than access. Identity goes beyond the network, and ties into both endpoint and data security. It takes information from every piece of an organization’s security infrastructure and ties it all together. Identity gives context to everything an employee, partner, supplier, contractor, etc. does within the entire enterprise infrastructure. Cloud and on-premises apps. Devices both on- and off network. Privileged Access Management. Data stored in systems and apps or data stored in files.
It’s time to rethink identity as your new IT wingman. From empowering workers on day 1 to automating IT helpdesk requests, SailPoint identity takes on your security and compliance issues so your people work freely while your systems work securely.
You might also be interested in:
Find out how SailPoint can help your organization.