Skip to main content

Identity governance and administration in a digital world: #GovernanceForAll

(Image credit: Image Credit: Dom J / Pexels)

When Thomas Friedman wrote his ground-breaking book The World Is Flat in 2005, he focused on the ways in which technology transformed global economies. The book proposed that new technologies were ushering in the third stage of globalisation – one based on individuals competing, connecting, and collaborating in a new global economy. Since 2005, digital business models have continued to flatten the world, bringing with them the fourth Industrial Revolution. According to the World Economic Forum, Globalization 4.0’s Digital Economy and Society encompasses six main principles: good digital identities, data sharing, and permissions, access and adoption, securing people and processes, sustainable digital transformation, and informed, agile governance. As organisations embrace digital transformation to streamline business operations and create better customer experiences, managing identity and access must align with these principles.

*What does "good digital identity" mean?*

The World Economic Forum maps the concept of good digital identities to civic participation, banking and capital markets, financial and monetary systems, agile governance, and blockchain. Unfortunately, while these mappings show where good digital identities are necessary, they lack guidance about how to create them.

Creating good digital identities starts with the definition of the user. In a globalised, cloud-driven world, defining users increases in complexity. For example, definitions of users can be:

  • Employees
  • Customers
  • Vendors/Contractors
  • Internet of Things
  • Bots
  • APIs
  • Serverless
  • Server IDs

To align with the World Economic Forum’s definition of good digital identity, organisations need solutions that help them manage these diverse definitions. Before securing identities, you need to define them and create holistic access governance programs that prevent excess access and privilege misuse that lead to data breaches.

*How identity governance and administration strengthens data sharing and permissions for the digital economy*

Globally, regulatory bodies and industry standards organisations worry about the impact of digital transformation on people’s privacy rights. Stringent data privacy regulations such as the European Union General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) highlight the importance of establishing digital identity governance. Protecting privacy relies on ensuring that all user identities retain the right access to the right resources at the right time for the right reason.

Complex, interconnected cloud ecosystems often obfuscate visibility into data access, leaving information at risk. Users access a multitude of applications across the IT architecture that streamline their job functions. Unfortunately, the traditional application-level permissions create a variety of new risks in cloud ecosystems, including but not limited to segregation of duties (SOD) violations within ERP platforms and excess access to information that violates data-sharing regulations.

However, these risks only scratch the surface of data sharing and permissions problems. Across industries, organisations increasingly adopt the Internet of Things (IoT) devices. Critical infrastructure organisations, such as those in the oil and gas industry, connect IoT devices to their SCADA sensors. On the other end of the spectrum, healthcare organisations incorporate IoT devices to better monitor patients.

To comply with data sharing and permissions regulatory requirements, organisations need identity governance solutions that encompass all identities while also providing detailed entitlements. Equally important, they need a way to ensure that their access request, review, and certification process for provisioning access meets “least privilege necessary” requirements.

Broad, application-level entitlements risk violating data sharing compliance requirements as identities can access all data within the application. Creating fine-grained entitlements that limit access not just to the application but within it promote enterprise cyber hygiene and protect consumers.

*Why focusing on access and adoption prevents fraud and strengthens infrastructures*

The Access and Adoption principle maps across a variety of technological, social, and geopolitical issues. At the enterprise level, Access and Adoption maps to fraud prevention by protecting business integrity and promoting security over digital communications and infrastructures.

Cloud migration strategies increase data access and security risks. In complex cloud infrastructures, organisations often struggle to maintain compliance with SOD policies.  Ultimately, the lack of governance places the organisation at risk for fraud. For example, providing the same employee access to both accounts receivable and accounts payable increases the potential for embezzlement. Multi-cloud infrastructures increase this risk since each cloud environment uses its own set of definitions and each application within a cloud environment adds another layer of user definitions, all of which require individual monitoring to prove identity governance.

As the enterprise scales, so scales its cloud, and each new access point creates a new risk. Access to these cloud infrastructures requires that organisations adopt equally scalable IGA solutions that enable the access management programs necessary to mitigate risk.

*How to secure people and process to create sustainable digital transformation*

The World Economic Forum’s definition of sustainable digital transformation incorporates innovation, entrepreneurship, and leadership in the fourth industrial revolution, all of which rely on organisations securing people and processes as part of their IT programs.

With privilege misuse considered a key data breach risk in the 2019 Data Breach Investigations Report, cybersecurity research supports the position that identity is the new perimeter. Securing data by securing people and processes requires organisations to embrace innovation so that they can become leaders in the new digital world.

Not all data incidents are large data breaches. A small data leakage, arising from excess access or employee privilege misuse such as snooping, leaves organisations at risk for compliance violations. Many compliance violations incorporate high fines. For example, the Portuguese supervisory authority fined a Portuguese hospital 150,000 euros for allowing “indiscriminate access to an excessive number of users.” Securing people, therefore, means creating a robust access governance program that incorporates limiting access to information and enforcing access policies.

Similarly, organisations need to secure automated identities. Whether IoT, Bots, APIs, serverless, or server IDs, non-human identities pose data and financial risks that must be addressed in order for digital transformation to remain a sustainable business model. If the risks arising from these new identities lead to economic losses, then digital transformation becomes untenable.

Diana Volere, Chief Evangelist, Saviynt

Diana is a strategist, architect, and communicator on digital identity governance and security with a passion for organizational digital transformation. She is the Chief Evangelist at Saviynt and has spent the past twenty years in product and services organizations in the IAM space.