Rethinking Identity in the Age of Risk
- By Terry Burgess, SailPoint
- July 20, 2020
While the definition of risk — a situation involving exposure to danger — has never changed, as a concept it has evolved considerably to meet the needs of modern business. Despite being a highly intuitive notion, risk remains rather vague and can be brushed across a range of business scenarios, including competition, operations, and reputation. Even when restricted to the realm of access governance and administration, risk is still highly subjective.
Understanding the nuances of risk is crucial to CDOs today, regardless of their field. For example, risk to a financial services company differs greatly from that to a healthcare provider. In fact, the accurate modeling of risk heavily relies on what’s at stake for an individual organization in terms of policies, regulations, access patterns, access points (applications, file systems, tokens, assets, etc.), plausible threats, and several other potential liabilities. Identity governance, for example, is predicated on the principle that we should award strongly similar identities similar access.
The role of risk in identity
In identity, one person’s signal is another person’s noise. The most effective identity governance access profiles within an organization are therefore those that are similar across business units and within peer groups. Consequently, identities whose access patterns are dramatically and unjustifiably different from their peers should be considered a source of risk.
Consider for example the case of Jane, a senior analyst at the same organization for over 10 years. During this time, Jane has collaborated with countless teams on joint projects. She has also accumulated hundreds of access entitlements. As a result, her entitlement peers are VP-level executives. The issue with this scenario is that Jane — an active and effective employee — has not received any of the security training or oversight that a VP-level individual typically goes through. If any of Jane’s accounts are compromised, the damage might be hard to contain.
This situation is an example of an access ‘anomaly’. Identifying all these inconsistencies and recommending a proper action, for example, triggering a special certification event, revoking unutilized access or role assessment, will improve security by mitigating the risk.
Getting identity right, finding anomalies in the noise
To find these abnormalities, business leaders need to define the baseline by understanding what normal looks like. The most efficient way for business leaders to identify outlier identities is through entitlement and role graphs. Additionally, for business leaders starting on this journey, there are three steps to success for building a successful identity strategy.
-
Improve user access experience and ease the burden on IT. Empower users to manage their passwords and simplify the process for gaining access securely. Seek technology that will evolve with the business for example when users join or move within the organization, their access rights evolve with them — automatically and without the overhead of traditional approaches to access modelling. This will empower the IT team with time; time that can be spent working to understand outliers and processes to improve overall governance operations.
-
Be proactive. Being proactive means anticipating problems, seeking new solutions and acting before a situation turns into a source of confrontation or crisis. You can even take this a step further by adopting a preventative mindset, for example by using AI-driven identity to identify and address potential risk before it leads to a data breach. AI holds the power to automate best practice in identity and is the first step towards a more predictive, cognitive future of identity governance.
-
Get real-time in decision making. Taking humans out of the equation speeds up important identity processes that traditionally require a lot of time and resources. Business leaders must seek the capabilities to evaluate access changes in real-time to help managers and administrators make informed decisions.
For CDOs, the future will continue to be defined by risk. Understanding how to reduce risk, especially in the identity governance space, is a sure way to make a positive impact across business units and areas of concern.
Terry Burgess, vice president for Asia Pacific and Japan at SailPoint wrote this article. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Photo credit: iStockphoto/Lazy_Bear