In this chapter
- Examine why the “human vector” is the new attack vector of choice for hackers
- Define identity governance
- Learn how changes in the workplace increase risks and how identity governance helps address those risks
Table of Contents
- Identity Moves to the Center of Security
- The Power of Identity Governance
- Identity Governance in Action
- Identity Governance and the Cloud
- Building your Strategic Roadmap
- Selecting the Right Partners
Today, everyone in information technology needs to be concerned about user access privileges related to employees, contractors, and partners – or simply, “identities.”
Why? Because right now, compromised identities are arguably the most serious problem in cybersecurity. According to Verizon, 63 percent of data breaches involve stolen, weak, or default user credentials (see Numbers tell the story, below).
The Keys to the Kingdom
Why do attackers utilize user credentials so often in their activities? Because there is no need to smash windows if you have a key to the door.
At any given time in a large organization, thousands of employees, contractors, business partners, and customers are accessing hundreds, or even thousands, of applications. Each point of access for those thousands of users is a potential point of exposure.
Cybercriminals and hackers need to find only one weakness among millions of points of exposure. Once an attacker captures one valid set of user credentials, through a phishing attack, or malware, or a mistake by a single user, the door is open to plunder and disrupt the organization.
Because identities are the targets of so many cyberattacks, security efforts must focus on protecting them, and that starts with identity governance.
Compromised user credentials have played a major role in many of the most serious data breaches of the last few years. Captured credentials of a third-party vendor, a refrigeration contractor, led to the Target data breach and the loss of credit card information for 110 million customers. Personal infor-mation on 21.5 million government employees and job appli-cants was stolen when hackers used credentials from a con-tractor to penetrate systems at the United States Office of Personnel Management (OPM).
Numbers tell the story
Most data breaches are linked to compromised or misused credentials:
- 63% of confirmed data breaches involve weak, default or stolen passwords.
- 66% of insider misuse involves privilege abuse.
- 60% of organizations cannot detect attacks that use compromised credentials.
Sources: Verizon 2016 DBIR, Rapid7 2015 Rapid Detection and Response.
Defining Identity Governance
Identity governance helps enterprises prevent data breaches by protecting an organization’s identities. But what is it, exactly?
A working definition
We define identity governance as:
Technology and processes to ensure that people have appropriate access to applications and systems, and that the organization always knows who has access to what, how that access can be used, and if that access conforms to policy.
All employees should be provided with exactly the access they need to do their work, and no more. For example:
- When James joins the company, on day one he obtains access to all the applications and systems he needs for his job – and no others.
- If Leila quits, all her access is terminated immediately.
- Sheila in accounts payable can pay invoices, but cannot initiate new vendors or invoices.
- Boris the email administrator can manage the email software, but not the customer service application.
Identity governance solutions help organizations inventory, analyze, and understand the access privileges granted to employees, contractors, and partners. They automate processes related to identity information and access in ways that increase efficiency, strengthen security, and improve compliance with government regulations and industry standards.
Identity governance involves at least three sets of processes:
- Policy modeling to determine what permissions should be given to people based on their roles and responsibilities
- User account provisioning to manage and approve requests for access, provide access to multiple systems in an automated fashion, and revoke access when people change roles or leave the organization
- Access certification to verify and document on a regular basis that access is being provided and managed based on the organization’s policies
Terminology in this field can be confusing. Broadly speaking, identity management (IdM) and identity and access management (IAM) are umbrella terms used to encompass two sets of technologies and processes. The first, identity governance (sometimes called identity governance and administration or IGA) relates to managing access policies, provisioning user access, and analyzing access rules, risks, and activities. The second, access management, consists of technologies that control access in real time, such as authentication, single sign-on, and password reset. Identity-as-a-service (IDaaS) refers to IdM technologies delivered from the cloud.
Challenges from the New Ways We Work
Legacy identity management tools and processes were designed for a relatively straightforward scenarios: full-time employees, sitting in corporate offices, on the corporate network, with a laptop or desktop computer, accessing structured applications running in the organization’s data center. But changes in the way we work have made governing user access privileges more challenging — and much more important for security and compliance.
Many types of users
Over the past decade, contractors, suppliers, business partners, and customers have been given increasingly wider access to key business applications.
To maintain security, organizations need to enforce identity governance policies for these users that are typically more restrictive than for full-time employees. Because their “lifecycles” within the organization may be only weeks or months rather than years, their privileges need to be reviewed and revoked much more frequently.
BYOD and shadow IT
The bring-your-own-device (BYOD) phenomenon has created a situation where thousands of devices sourced by individual employees need to be managed safely. The challenges include registering unknown devices, provisioning them with required apps (including security apps), and ensuring that access from the devices to corporate applications is controlled in accordance with the organization’s policies.
Another major issue is shadow IT, the tendency for employees and departments to use software-as-a-service (SaaS) applica.tions without the knowledge of the IT organization. Often this behavior is caused by the perception that acquiring access to applications is difficult and takes too long. Security and compliance are both threatened when IT is unable to monitor or control access to those applications and the data they store. Organizations need to simplify access to authorized applications so it is easy for employees to do the right thing.
A recent study predicts that 92 percent of computing workloads will be processed in cloud data centers by 2020.1 The migration of business applications to the cloud is a major challenge because enterprises typically have limited access to identity information and events within cloud platforms and SaaS applications.
In addition, because most organizations manage a hybrid environment, they need a single, consistent view into all identity data across on-premises and cloud applications. Further, they would like to be able to model, provision, monitor, and revoke permissions across environments that include both cloud platforms and traditional corporate data centers.
Most existing identity governance products are designed to work with structured data. However, the industry analyst firm IDC has estimated that 90 percent of digital information consists of unstructured data, including documents, videos, and other types of files, as well as email messages, blog posts, and messaging and chat sessions.
Today, some of the most serious security risks are created in situations like these:
- When Li in sales downloads a customer list from Salesforce, and attaches it to an email message.
- When Arnab in HR downloads employee information, including compensation and Social Security numbers, to a spreadsheet and saves it on a SharePoint server.
- When Sally in engineering uploads product design files to Dropbox, and invites a supplier to access them.
To manage these risks, organizations must be able to keep track of vast amounts of unstructured data, determine which files and folders contain sensitive information, and control who has access to that information.
The Benefits of Identity Governance
Reduced risk and improved security
Identity governance technologies and processes are designed to give people access to the computing resources they need, but no more. This “need to know” approach to access reduces the risk of security breaches. It also minimizes the damage that can be done if a hacker acquires user credentials or an insider goes rogue.
Identity governance processes help organizations eliminate common weak points that hackers exploit, such as:
- Weak passwords
- Orphaned accounts (dormant accounts of former employees)
- Entitlement creep (excessive access rights that employees accumulate as they change roles)
- Violations of separation-of-duties (SoD) policies (controls that divide responsibilities to prevent individuals from committing fraud)
Numerous government standards and industry regulations, such as Sarbanes-Oxley, HIPAA, PCI DSS, and the EU GDPR, require enterprises to prove that they have policies and IT controls in place to ensure that only people with a need to know have access to sensitive information.
Organizations must not only implement appropriate policies and controls, they must also prove that these are in place and working. Documenting this can be extremely expensive and time-consuming.
Identity governance tools automate the process of certifying access, and provide a wealth of reporting capabilities required for audits.
A SailPoint white paper, Get Compliant and Stay Compliant, provides useful advice on using identity governance to improve compliance. You can find it at https://www.sailpoint.com/resources/get-compliant-and-stay-compliant/.
Empowerment of employees and increased productivity
Identity governance solutions empower employees by ensur.ing that they have access to the applications and systems they need, every time they need them.
The best identity governance tools can also:
- Increase the productivity of end users by providing self-service capabilities to reset forgotten passwords and request new access
- Increase the productivity of business managers by reducing time spent certifying access permissions
- Increase the productivity of IT staff by minimizing the volume of helpdesk calls related to password reset and access requests
In the next two chapters of this guide we look at how identity governance delivers these benefits.
You might also be interested in:
Find out how SailPoint can help your organization.