Time to Stop Avoiding the Governance Question
- By George Lee, RSA
- August 10, 2020
Today, organizations serve a growing and diverse user population. The proliferation of mobile and connected devices has led to an explosion in the number of accounts, access points and entitlements organizations must manage.
Amidst a global crisis, this has been exacerbated by employees working from home on a number of different devices and needing access to critical applications and sensitive information to do their jobs. In response, organizations pivoted to remote workforces to ensure business continuity, rushing out infrastructure such as authenticators and collaboration tools in record time.
Now is the time to talk governance
Often with haste, there is a short-term view to meet the immediate need with certain risks and security concerns filed under “worry about it later.” For organizations that have successfully achieved some state of business continuity, it’s now time to focus on understanding what exposure resulted from the emergency steps taken — what access was granted, to whom, for what purpose and for how long?
In most cases, organizations have found a rhythm working remotely but struggle to gain full visibility across the surge of devices and applications, creating the challenge of distinguishing legitimate devices and users from malicious ones. Identity governance and access assurance are critical given the increased threat surface and additional vectors for cyber criminals to exploit in the new work from home environments.
According to the World Economic Forum, hacking and phishing attacks will probably become the new norm for many organizations because of this sustained shift in remote working patterns. As markets globally report fresh waves of outbreaks in major cities, distributed workforces are here to stay. Mandates such as Singapore’s for office workers to continue working from home where possible are likely to persist for the foreseeable future, as telecommuting is seen to be an important preventive measure. With no end in sight, organizations must look to address employees’ heightened dependency on personal devices and home networks to access organization resources — or risk having these identities abused or falling into the wrong hands.
Change is Certain and Constant in the New Normal
While the re-certification of access rights is more critical than ever, the process of re-certifying to determine the amount of access and entitlement data that needs to be managed far outpaces what an identity team can handle.
Organizations need a solution that provides continuous compliance, helps manage and provision user access and ensures compliance with regulatory and corporate mandates. By leveraging advanced analytics and automating common tasks, identity teams can reduce unnecessary access to systems and applications as well as the administrative burden. Not only this will make the transition to remote work less stressful while empowering employee productivity, it will also alleviate requests coming into the help desk, streamlining the processes and simultaneously cutting IT costs, particularly as employees join organizations, transition roles and teams to fill gaps, or exit during this period.
For organizations who have rolled out new devices, applications and other tools to get their remote workforce up and running, here are four priority areas of governance to focus on:
- Enable risk-aware, context-driven governance by integrating risk management and access management in identity governance and lifecycle processes – instead of managing them as separate issues.
- Surface meaningful information for decisions by organizing activities by risk, priority and context, which can help reduce certification fatigue for business managers.
- Discover outliers and inappropriate access by using a risk-based approach to quickly identify outlying access requests, flag them and prioritize them for remediation.
- Automate processes so that in addition to providing secure access, you can fulfill it efficiently and effectively.
Governance makes things easier, not harder
As we transition to the next normal, organizations must prioritize strengthening their identity governance along with sound policies, workflows, audit capabilities, and a change management framework to assess and manage access risk in today’s distributed workforce. Focusing on understanding what may have resulted from business continuity actions and emergency steps taken at the onset of the crisis will provide necessary insights and make identifying identity and access risk easier, not harder.
Security, risk and IT teams must find ways to secure access and ensure compliance while supporting the speed of business. Identity governance needs to provide visibility combined with risk analytics to prioritize actions and share identity insights across the security and risk ecosystem. Identity can no longer be a silo-ed IT control — it must be integrated as a security and risk control.
George Lee, vice president for Asia Pacific & Japan at RSA, authored this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Photo credit: iStockphoto/Igor Kutyaev