Certain junctures in history have created unintended dichotomies: haves and have nots, protected and unprotected. In cybersecurity, COVID-19 has shown us whether an enterprise is well ahead of the digital transformation curve or woefully behind. Those who've transformed have also embraced a security approach that de-emphasizes perimeter defense and instead elevates identity.
Many organizations have rushed to provision IT services such as a virtual private network or other access controls to enable a virtual workforce, but identity is much more than merely providing access gateways to resources. Access without oversight merely increases the attack surface for an enterprise. Using identity well means that oversight — known as identity governance — must be in place to ensure that any access provided is useful, appropriate, and necessary.
This kind of wisdom is not mechanical, of course. Identity governance is more than identity management — merely managing accounts and their access, which, when done in a rushed, utilitarian manner, can grant unnecessary and dangerous access to sensitive data and resources. Thus, a short-sighted approach that focuses merely on access can do more long-term harm than short-term good. Identity governance uses a comprehensive view of identity (both human and nonhuman) to evaluate that identity's attributes, access, and behavior to determine what access is appropriate for a given context.
Furthermore, it allows an organization to create a coherent security policy, based on identity, that spans all applications, data, and infrastructure. An audit record can document the successes and failures of this policy. Ideally, using identity in this way is an approach that learns from this historical record and takes input from both machine learning as well as from human insight. Rather than being tactical, identity governance is a strategic investment — it can provide an adaptable approach as identities, infrastructure, and business initiatives evolve.
The resiliency of an identity governance approach has been demonstrated over the last few months, as there has been a rise in workforce volatility: Enterprises are seeing new demands to govern newly remote workers, to onboard new contingent workers, and to pause employment for those being furloughed. These are business-driven demands that cannot be met, securely or at scale, with access alone.
Developing identity as the core of a security strategy — strategically implementing identity governance for an organization — grants this unique blend of contextual awareness and flexibility. Rather than being an optional add-on, it is essential to any enterprise seeking not just to survive in this new reality but to thrive.
Organizations can do four things to rapidly mature their identity program and better secure corporate resources:
- Perform a full audit. They must audit identities' access to systems, applications, and data across the entire enterprise. Identify weak areas in visibility over users' access to any corporate resource and determine the current status of the identity program today versus its ideal state. Don't forget to determine the level of connectivity among each part of the security environment. And from there, it's important to ensure that every system, resource, and business unit is engaged with the organization's identity governance solution.
- Embrace automation for all identity processes. Less human involvement is more when it comes to identity governance. Employ innovations such as artificial intelligence (AI) and machine learning (ML) technologies to automate and accelerate decision-making in identity processes. When users either join, move within, or leave the company, access should be modified and checked against security policies to enforce "least access" principles. Enable self-service where appropriate, including password resets and access requests. Build a channel for users to request the procurement of new applications that is driven by ease of use.
- Get control over data. Sensitive data represents one of the largest attack surfaces for any organization and is ironically a weak spot in most security approaches. A tool that can discover data automatically in both structured and unstructured systems will be extremely beneficial, classifying corporate data and scoring it in terms of risk, marking certain files or repositories as sensitive information. You can't govern what you're not aware of, so it's important to find and classify all data within the enterprise — and extend identity governance to control its use.
- Regularly review and alter, if necessary, each aspect of the identity program. This includes more than standard processes like meeting audit requirements. Regular review is critical to the success of the program, given the constant changes in the roles and responsibilities of the identities that make up an enterprise. This is another area where AI and ML technology can help make informed decisions.
Identity governance is now an essential for any organization. The world has shifted, and identity must be the foundation of every business around the world.