Filling the identity-shaped holes in business security
IT leaders are under tremendous pressure today - and it is only getting worse. Not only are they charged with enabling users to be productive, but they must also act as the virtual gatekeepers of enterprise security. These teams address rising threats and compliance challenges amid the digital transformation, which nearly every organisation is undergoing. It can be overwhelming.
By Juliette Rizkallah, Chief Marketing Officer, SailPoint
As a result, many IT departments are often so caught up in managing the day-to-day that overarching cyber security priorities can start to fall by the wayside.
To help tackle this growing issue, SailPoint recently unveiled an in-depth self-assessment for organisations to evaluate their identity strategy as part of their broader cyber security programme.
Based on that input, we developed an Identity Score - similar to a credit score - to help organisations understand where they could afford to improve their identity programmes for long term success. Upon analysing 450 of those self-assessments and resulting Identity Scores, we created the industry’s first benchmark, called the Identity Report.
The results of the report go a long way in helping IT leaders to develop a roadmap to systematically improve their security and compliance programs into 2019 and beyond. Here are the key findings.
Implementing identity to the fullest
The good news is that 54% of organisations have an identity programme. That figure suggests the scales are tipping in favour of a comprehensive approach to security, which must include identity. The bad news is, there is a very long way to go when it comes to maturing those programmes to do all that they were designed to do.
For example, less than half of the provisioning of user access to application and data in the respondents’ identity programmes is automated. This presents an issue as the number of identities, both human and non-human, data and volume of applications continue to proliferate.
Automation is critical for IT teams operating with limited resources. Humans simply can’t operate at the speed of the digital transformation that nearly all enterprises are going through. Without the full capabilities of identity management in play, identity policies can’t be effectively enforced, leaving both security and compliance gaps wide open.
You can’t govern what you can’t see
Beyond governing users and their access to critical business applications, the new million-dollar question for identity programs is answering: "Who has access to what data?"
With data breaches sometimes costing millions, it indeed is a million-dollar question that many organisations still cannot answer. The majority of enterprises who took the assessment - 71% - couldn’t produce a full report on their users and their access to systems and data, spelling trouble in the event of a data breach or audit.
These blind spots create a 360° level of risk, where a potential threat could sneak by from any angle. Without a 'single pane of glass' view, enterprises cannot have all the information they need to make the right decisions on who should have access to what, much less see what users are doing with their access and whether or not it’s appropriate.
Cloudy with a chance of ungoverned access to data
For today’s enterprises, data has become the ‘new oil’. It’s increasingly valuable, yet, it is becoming more and more difficult to maintain that ‘oil well’ to ensure the commodity in question is stored, managed and distributed in a responsible manner. Data is running rampant and growing exponentially, yet only 9% of organisations are governing and monitoring access to all sensitive corporate data.
The fact that most corporate data is now stored outside of structured apps and systems available through cloud-based file sharing applications adds an additional layer of complexity. That was evident in SailPoint’s findings, as the governance of access to data stored in structured systems outpaced data stored in files by 14%.
With compliance around data privacy becoming a top priority for businesses, organisations must govern access to these resources, which range from financial data and healthcare records to personal employee information. Put simply, a comprehensive approach to identity must include governing access to files, allowing real time monitoring and automatic alerts to accurately control and govern access to data stored in both structured and unstructured systems.
Where identity comes in
Ultimately, as technology continues to evolve, it is likely that cybercrime will too. To get ahead of the fraudsters, it is imperative that businesses have full visibility over who has access to what, and who should have access. Identity governance treats the overall problem of unbridled access to what hackers find most valuable - the identities who hold the keys to valuable systems and data.
By building an identity programme, businesses are better equipped to understand which users have access to sensitive applications and data, helping to spot potential threats before the damage is done - that is the power of identity.