Uncovering a decade of myths about identity governance

(Image credit: Image Credit: Dom J / Pexels)

A lot can happen in a decade. For the 80s it was the personal computer. In the 90s it was the World Wide Web. And not to mention the iPhone that burst onto the scene in the early 2000s. As the years roll by, technological advancement continues to make huge strides for humankind, but it also changes the way we protect ourselves.

Across the globe, technology continues to evolve the face and shape of every organisation. This evolution has swept organisations all over the world—big and small—and it’s referred to as a digital transformation. It may sound like the buzzword du jour, but the digital transformation has been and continues to be a challenge for enterprises, particularly when it comes to governing the access that employees need to the slew of new technologies hitting the workforce today.

Through all the handoffs of cybersecurity to protect people in organisations –  from firewalls to access management to a solid identity governance program – many organisations are left confused on how to combat threats facing them and, unfortunately, more than a few myths have persisted. Hackers have become increasingly crafty in the past ten years, and now are targeting one of the most pivotal parts of an organisation: its people. To protect, you must educate. Let’s debunk some of these myths that have persisted for the last decade.

Myth #1: Provisioning will solve everything under the sun for my governance problems

For years, many provisioning solutions did a decent job of adding and deleting users. Today, they are not nuanced enough for legitimate governance. Not only do they lack the broad application coverage required to meet compliance, but they also struggle to report “who has access to what” and continue to be too technical for business users.

Granting or removing access does not address the more significant issue of security. Identity governance helps with automating provisioning processes through a governance-based approach. This approach will allow enterprises full visibility over their users, applications, and data to be able to answer the three paramount questions:

  • Who has access to what?
  • Who should have access?
  • What are they doing with that access?

Myth #2: Role management is the key to solving everything

Ten years ago, Oasis was still a band, and the identity industry believed that role management was the cure for what ailed us. While it is true that role management can provide business context to simplify identity management, it is a means to an end but not the key to solving everything identity-related. Roles can be employed as components of identity governance solutions, when and where they are useful, but they are not the only requirement for strong enterprise security.

Myth #3: Identity governance doesn’t work with or in the cloud

Back in the day, legacy provisioning and identity management solutions were delivered entirely from on-premises and only managed on-premises systems. Enter cloud applications, storage, and infrastructure. Not only has cloud become the preferred method of deployment for many enterprise identity programs, but identity governance has evolved to ensure on-premises and cloud applications and data found in cloud storage are all governed in a consistent and efficient manner. Moreover, with the rapid adoption of cloud infrastructures, such as Amazon AWS and Microsoft Azure, enterprise organisations are also leveraging their identity solution to secure and govern access; protecting where some of the most valuable information is stored.

Myth #4: You only need identity governance if you’re subject to regulatory compliance

When the Sarbanes-Oxley Act (SOX) was first enacted, identity governance initially emerged as a new category of identity management to improve transparency and manageability within specific industries (i.e., manufacturing) to meet compliance regulations. Every organisation, regardless if you are subject to regulations, need to strengthen controls over access to sensitive data and applications.

To be secure, regardless of the ever-changing regulatory landscape, today’s organisations must put in place preventive and detective controls. These controls can protect all kinds of data – embedded in applications, stored on file shares and in the cloud, and even on mobile devices.

Myth #5: Not my problem! Identity governance is an IT issue

Eons ago, it was common for IT to be solely responsible for identity governance. Business application owners were not held accountable for compliance with internal controls, even though they understood how the systems were being used and which employees needed access to applications and data. As a result, IT shouldered responsibility for a set of risks that were actually business risks. Here’s what we know now: the business side of the house must assume some, if not all, ownership for identity governance and team with IT to ensure it is appropriately included in the organisation’s overall identity program.

Myth #6: Identity governance and security are separate

Myth #7: Identity governance is designed for large companies only

Enterprise organisations of all sizes need identity governance. The idea that identity governance is only intended for very large enterprises may have been right ten years ago, but today, organisations of all sizes experience fundamentally the same challenges, no matter their size. 

If you peer into today’s organisation, identity is consumed and leveraged across a broad spectrum of organisations’ that range in size and industry focus. Identity is a crucial component to ensuring access to data—no matter where it resides—is well protected. However, identity is not only used for security reasons. With the growing wave of data privacy laws, notably GDPR, these organisations, big or small, are now all subject to one or more compliance regulation that requires them to implement and enforce access policies and also have a way to document and prove compliance.

Myth #8: Access management and single sign-on will solve my identity needs

Organisations are utilising access management to balance ease of use and authenticated access to a variety of cloud and on-premises applications from anywhere, on any device. While this enables users with the convenience needed today for 24/7 access, organisations must consider the bigger picture and take a more strategic approach to managing their identities.

To establish a truly secure environment, organisations must address identity governance to control and govern each user’s access after the single sign-on. By integrating identity governance with an existing access management solution, organisations can automate the governance controls needed to mitigate the risk of a security breach and enforce compliance policies, while managing the demands of today’s modern workforce.

Myth #9: It’s too difficult to show the return identity governance provides

Finally, the last myth is about driving a quick return on your investment when it comes to identity governance. The fact is identity governance is key to implementing policy-driven automation which can result in big cost and time savings.

According to Forrester, users forget their passwords about five times a year. If those users are required to call a help desk for manual assistance, this not only slows down user productivity but also incurs costs that stack up quick — a 15-minute help desk call to manually reset a password on average costs companies $30 a call. Depending on your organisation size, you can probably do the math pretty quickly and estimate an initial return. Other examples include streamlining employee Day 1 on-boarding as well as optimising access review and certification efforts from months to weeks. 

The power of identity

Even by debunking persistent myths, some may still believe that identity is just about governing access to specific applications or systems, but here’s one takeaway to not forget: identity is far more than access. Identity goes beyond the network, and ties into both endpoint and data security. It takes information from every piece of an organisation’s security infrastructure and ties it all together. Identity gives much-needed context to everything an employee, partner, supplier, contractor, etc. does to the entire enterprise infrastructure.

Identity is everything today. In this age of the digital transformation, the business world moves quickly, entails more types of applications and data, involves more types of users whose access needs close governance, and is exponentially more complicated for IT to enable than ever before. By adopting an identity governance strategy that encompasses the entire organisation, you can properly secure and govern your organisation’s identities and their access. That’s the power of identity.

Jacqueline Brinkerhoff, Senior Director of Product Marketing, SailPoint
Image Credit: Dom J / Pexels