As organizations become more and more digital, the never-ending list of apps continues to invade corporations and the onslaught of the Internet of Things (IoT) continues to accelerate. The Identity Management discipline has been asked to evolve to keep pace with all of these new technological capabilities.
Organizations are also evolving with technology. A Chief Information Security Officer, or CISO, is responsible for determining an organization’s risk exposure and running various programs necessary to minimize that risk as much as possible. It is becoming increasingly common for initiatives within security to be judged by how much risk they can mitigate. These initiatives are no different within the Identity Management domain.
As the Chief Technical Officer for an Identity Management consulting organization, I have had the privilege of discussing the challenges faced by scores of executives and their teams across all different verticals. In many cases, my teams and I assist in the design and implementation of solutions to help with these challenges. In the Identity Management discipline, there are many buzzwords to describe the techniques used by professionals to mitigate risk, each providing distinct ways to help identify and lower risk.
To begin, let’s start with Identity Governance (IDG). It is not a new concept, nor is it a complicated one. Identity Governance is the process by which access to data is reviewed by the appropriate individual(s) to ensure that the access is still necessary. When correctly implementing an Identity Governance program, all systems are prioritized, all accounts within them are cataloged, and certification campaigns are run to ensure every account is analyzed and deemed necessary for someone or something to operate as intended.
In its essence, these regular reviews act as an assurance that the provisioning processes are correctly implemented and functioning as intended. In short, Identity Governance is a self-audit of the organization’s provisioning policies and procedures. People are involved in the provisioning process. People are not perfect. It is safe to assume that people will make mistakes. A great example of this exists in the “leaver” process. Upon leaving an organization, most or all access is removed after that person’s last day. If an account is mistakenly left active, it can act as a potential attack vector, which poses a risk to the organization. This error can be caught during the certification process to mitigate that risk.
Regulatory compliance, such as HIPAA and SOX, require that these access reviews are performed regularly. Along with the regulatory requirement to conduct access reviews, an organization must report any non-compliance or findings resulting from non-compliance. Non-compliance with these regulatory requirements can damage an organization’s reputation and result in hefty fines from regulators.
The evolution of the Identity Governance space is fascinating. Initially, there was no requirement for organizations to perform their own access certifications. The conditions were much more simplified; they needed to ensure that individuals only had access to what they needed to perform their job. PCI ensures that only people who need to access cardholder information can do so, HIPAA ensures the same with healthcare data and SOX with financial data. For an external auditor to ensure compliance, they perform their samples. The leaver case was an easy way to ensure the deprovisioning processes were being followed. Therefore, auditors would take some samples of terminated employees to ensure they were removed. They would also sample other business processes, but leavers, in my experience, were the most common findings.