Certain junctures in history have created unintended dichotomies: haves and have nots, protected and unprotected. In cybersecurity, COVID-19 has shown us whether an enterprise is well ahead of the digital transformation curve or woefully behind. Those who've transformed have also embraced a security approach that de-emphasizes perimeter defense and instead elevates identity.
Many organizations have rushed to provision IT services such as a virtual private network or other access controls to enable a virtual workforce, but identity is much more than merely providing access gateways to resources. Access without oversight merely increases the attack surface for an enterprise. Using identity well means that oversight — known as identity governance — must be in place to ensure that any access provided is useful, appropriate, and necessary.
This kind of wisdom is not mechanical, of course. Identity governance is more than identity management — merely managing accounts and their access, which, when done in a rushed, utilitarian manner, can grant unnecessary and dangerous access to sensitive data and resources. Thus, a short-sighted approach that focuses merely on access can do more long-term harm than short-term good. Identity governance uses a comprehensive view of identity (both human and nonhuman) to evaluate that identity's attributes, access, and behavior to determine what access is appropriate for a given context.
Furthermore, it allows an organization to create a coherent security policy, based on identity, that spans all applications, data, and infrastructure. An audit record can document the successes and failures of this policy. Ideally, using identity in this way is an approach that learns from this historical record and takes input from both machine learning as well as from human insight. Rather than being tactical, identity governance is a strategic investment — it can provide an adaptable approach as identities, infrastructure, and business initiatives evolve.
The resiliency of an identity governance approach has been demonstrated over the last few months, as there has been a rise in workforce volatility: Enterprises are seeing new demands to govern newly remote workers, to onboard new contingent workers, and to pause employment for those being furloughed. These are business-driven demands that cannot be met, securely or at scale, with access alone.
Developing identity as the core of a security strategy — strategically implementing identity governance for an organization — grants this unique blend of contextual awareness and flexibility. Rather than being an optional add-on, it is essential to any enterprise seeking not just to survive in this new reality but to thrive.
Organizations can do four things to rapidly mature their identity program and better secure corporate resources:
Identity governance is now an essential for any organization. The world has shifted, and identity must be the foundation of every business around the world.