We live in an ever-evolving, perimeter-less world. In this new age, anyone has the potential to access anything from anywhere. As a result, infrastructures are fundamentally borderless, critical data is cloud-based, and users can work from anywhere across the globe. On the one hand, the loss of perimeters has enabled innovation, boosted productivity, and significantly reduced organisational overheads. On the other, it has introduced more risk, with data breaches occurring daily at an average cost of US$4 million.
Organisations today have a new ‘perimeter’ so to speak. It’s their users. Every user (including non-human identities) in an organisation is now linked to a slew of applications and data they need to access to do their jobs. That said, without a proper identity governance program in place, the flexibility users obtain to do their jobs does not matter if it’s not secure. Compromised user credentials are often the main culprit to so many data breaches and cybercrime. Despite this, a huge number of organisations fail to build a robust identity program to help mitigate risks. It’s a catch 22 – to give users the freedom to do their jobs while putting protocols in place to maintain security.
Here’s the good news – there is one line of defence that remains powerful to borderless organisations: identity. A comprehensive identity governance program validates access rights across the enterprise for all applications and data, providing a trustworthy foundation for the business. Managers don’t have to be IT experts to understand their organisation’s identity posture. In fact, there are a few fundamental questions that can be asked of any identity management strategy to help shed light on how mature it is.
The first consideration needs to be whether or not an organisation has an accurate and up-to-date inventory of its identities. The best way for a business leader to envision an identity is as a container that collects and holds all the users’ access rights across the enterprise. An identity will contain many user accounts, but there will only be one identity record per user.
Each identity will be connected to a list of user roles and access rights based on predefined policies. These permissions should be used throughout the enterprise to associate specific user credentials and rights to a system account, for example, restricting financial or human resources files to senior team members.
Too often, the terms ‘identity’ and ‘account’ are used interchangeably, but in organisations seeking a robust and holistic identity management position, they should be considered related, but totally separate. And the best way for business leaders to get a sense of where the organisation is in terms of its identity journey is to ask: are we clear on what identities we have, and how they are being managed?
Secondly, it’s critical to understand the end-to-end authentication process in the business. It’s common to find mature infrastructures and teams lose track of authoritative systems and account stores due to the rising complexity of their environments. This is usually thanks to the proliferation of user accounts, shadow IT practices and an increase in devices that make it tricky to keep up.
Business leaders wanting to understand the role authentication plays in their identity governance strategy need to ask: how does the business’s authentication work?
And finally, regardless of the maturity level of an organisation’s identity program, the foundation of success lies in the processes in place for managing credentials. While manual processes can be successful with enough rigour, automation is necessary to minimise human errors – especially in enterprises with thousands of users including full- and part-time staff, contractors, freelance workers and business partners accessing their systems.
Understanding the business processes in place to support identity governance alongside the approval process for creating, maintaining and eventually shutting down a user account is the true goal of any identity program. Business leaders need to understand the basics in order to understand if they are providing enough support for their identity programs and to take a ‘govern all’ approach to their cyber strategy.
Today, identity governance is a critical, first line of defence for every organisation seeking to reduce the risks associated with data loss. Business leaders don’t have to be experts in the details, but it is critical for them to understand the fundamentals of identity in order to drive a secure yet open company culture. By investing in understanding these three elements of identity from the get-go, business leaders are guaranteed to have more successful risk management programs for the long haul, protecting their organisation along the way.