“There are decades where nothing happens; and there are weeks where decades happen”. For businesses up and down the country, this quote from Vladimir Lenin is an accurate description of digital transformation efforts during the pandemic. But, as businesses race to find digital solutions to support the shift to remote working and fully online customer interactions, they are facing a tsunami of internal and external threats and the growing burden of regulatory compliance.
Case in point: British Airways’ (BA) £20m fine from the UK Information Commissioner's Office (ICO) for ‘failing to protect the personal and financial details of more than 400,000 of its customers’. While the final figure was less than the airline might have feared, it was a sign of a wider trend: the monetary cost to UK business of regulatory non-compliance is ratcheting up at a time when cost pressures are at their most acute. Furthermore, with millions of employees working from home increasing the amount of (unfamiliar) devices and variables for security teams to account for, it is harder than ever for businesses to ensure that privacy and data protection best practices are being followed consistently.
Empowered by a new wave of privacy laws like the California Consumer Privacy Act (which was recently strengthened in a state vote) and the EU’s General Data Protection Regulation (GDPR), regulators across the globe have shown they are increasingly willing to issue heavy fines for companies that don’t adequately safeguard personal data.
And, when you factor in the reputational penalty of falling afoul of consumers who are increasingly demanding not just security but control over their personal data, it becomes clear that compliance is no longer solely a legal or reputational matter - it is a commercial imperative.
So how can companies future-proof themselves against rising regulatory risks, in an environment defined by cost-saving and amid an ever more complex cyber-threat landscape?
Digital identity is the watchword for security-conscious organizations
You can only reduce risk if you can understand and measure it - and digital identity is the cornerstone for cross-organizational risk analysis and data analytics for employees and customers.
Without a centralized identity infrastructure in place, an organization cannot use contextual authorization and adaptive risk features to verify the authenticity of users, devices and things continuously throughout a session and mitigate risk whenever an anomaly is detected. This restricts an organization's ability to find out when violations occur or to reliably remediate them, exposing corporate assets and harming overall security posture.
Unfortunately, many organizations lack this centralized approach to identity. In the rush to bring new digital-first offerings to customers and employees, businesses often fall back upon a patchwork of identity systems, leaving them with a wild mix of legacy, home-grown, and standard identity and access management (IAM) products to secure and manage the identities of users and their access to their services, applications, and systems.
This fragile enterprise security IT environment has only been made worse by the pandemic as UK businesses continue to have millions of employees working from home for the foreseeable future, requiring businesses to introduce myriad new policies and procedures in response.
‘Shadow identity’ and regulatory risk
The lack of a centralized identity infrastructure can also lead to the growth of ‘shadow identities’ within an organization.
Similar to the problem of ‘shadow IT’, shadow identity refers to the identity silos formed when different departments within a business create and run their own identity systems. Again, this is typically a by-product of the rush towards digital. Business units are racing to deliver new digital services independently and, when they realize they need an identity system to support it, they create or buy on their own. This solves a short-term problem for that team, but creates much bigger longer term issues as organizations end up with multiple and separate sets of identities for the same customers, with no single view of the customer and no mechanism for responding to customers’ preferences across all touchpoints.
In addition to degrading customers’ experience, this lack of visibility leads to major compliance challenges and can lead directly to privacy failures and internal and external compliance risks. For example, if a customer decides to make use of their rights under GDPR and requests to opt-out of receiving marketing emails, or even to issue a subject access request for all data held on them by the business, that company must cross-reference that customer’s data across the entire organization in order to comply with the regulation. If customer data is siloed in a shadow identity system, this task becomes very difficult, if not impossible.
Visibility of and access to customer data across business units and geographies is therefore a crucial requirement for complying with current and future data regulations which are increasingly encouraging a ‘fair exchange’ between businesses and consumers, starting with data transparency.
AI and IGA are the secret sauce to secure the enterprise
So how can businesses deliver this fair exchange? The answer is likely to involve the application of artificial intelligence (AI) to the world of identity, specifically identity governance.
Identity governance and administration (IGA) solutions are used to handle access request approvals, certifying user access levels and back-end user account provisioning. These systems were once fairly simple but today they are expected to work across multiple siloed environments with millions of access privileges spread across legacy and modern applications; on both on-premises and cloud environments.
One of the biggest internal risks for any organization comes from the number of sensitive applications and the volume of employees who have access to applications and their entitlements. Even a medium-sized business is likely to have many applications, each with hundreds, if not thousands, of user entitlements and each entitlement brings some degree of risk.
The pandemic has complicated this further, as organizations rush to onboard thousands of new employees to systems and applications that allow them to work remotely. Many businesses still rely on manual processes or scripts to grant immediate access to users, monitor and monitor said access. Some even have to rely on combing through emails and spreadsheets to properly audit and reconfigure users’ access. You don’t have to be that large a business, or to have that many users, before this approach becomes completely unsustainable.
BA’s recent episode highlights the dangers of getting IGA wrong. Not only did it store credentials for a privileged domain user in plain text but it took three months to detect the anomalous behavior, suggesting a deeper failure to monitor internal user access privileges and flag suspicious activity.
This is why automation - and machine learning - is now critical to effective IGA. With smart use of AI, IGA systems can prevent security and compliance teams from missing anomalous behavior, while also automating high-confidence access approvals, recommending low-risk accounts for certification, re-certifying high-risk accounts, and automatically removing unnecessary roles.
This frees up security teams to focus on high-level threats which require their attention, reducing time spent on resource-intensive manual reviews, while maintaining an overall view of internal security posture - even when employee credentials have been compromised as in the case of BA.
Effective, modern IGA and IAM are now commercial imperatives
As we accelerate towards a digital-first future, an organization’s approach to identity can make or break the business. A smart, centralized and flexible IAM system can be a powerful and scalable foundation to achieve regulatory compliance, stitch together customer and employee information across business units and manage internal access privileges. A cumbersome or fragmented identity system will leave you exposed to internal and external threats and undermine your ability to innovate, at a time when organizations are under more pressure than ever to do exactly that.
Tim Bedard, Senior Director of Product Marketing, ForgeRock