Getting the Most out of Compliance From Cloud Platforms

In my last post, I talked about a number of the challenges that organizations face as they attempt to improve their IAM, IGA, and GRC strategies. All too often, organizations find that one challenge leads to another, and governance becomes a frustrating chore instead of a strategic imperative or differentiator. 

A lot of this frustration stems from a lack of visibility into business processes. Over time, organizations have implemented a wide range of enterprise systems to meet ever-changing business needs, with little thought about how those apps can – and should – work together. In the interest of convenience and efficiency, IT teams focus on using one-off integrations and workarounds. The need to accommodate remote workers, and external access points with varying degrees of security, has only compounded the problem.

While this is emblematic of larger system management issues, it also has clear implications on governance and compliance efforts. It’s nearly impossible to see at a glance who has access to what, whether those privileges should be revoked, and the extent to which access poses risks both to individual users and to the organization as a whole. Compliance becomes a reactionary process of incident response, not a proactive process of strategy development. 

Remembering my past life, architecting and deploying solutions based upon Waveset Lighthouse and later Sun Identity Manager, an often stumbled upon requirement was to integrate with IT service management systems (ITSM) such as BMC Remedy and its likes; to capture, send and react upon service tickets. An integration that always proved challenging in both technical and process oriented ways. Often due to the fact that the view of processes were layered with obscurity.  

Recently, though, the emergence of cloud-based platforms for ITSM, configuration management, and operations management have opened the door to improved business process visibility. Combine this with business process automation – also a standard offering for these platforms, and the ease to technically integrate with REST-based APIs – and suddenly it’s possible to take a more holistic approach to governance and compliance. 

Here are a few key benefits to bringing compliance and governance on top of a cloud-based ITSM platform.

Seamless application integration. Information is most valuable to enterprise stakeholders when it’s able to flow across applications and roles. This is especially true when platforms are able to integrate legacy ERP or RCM systems in addition to native apps. Business leaders benefit from a single version of the truth that enables data-driven decision-making. Compliance leaders will spend less time gathering data to prepare audits or run incident reports, saving time and reducing complexity.  

Scalability and consistency. Cloud platforms aren’t tied to local, on-premises resources and can be scaled across multiple networks. This allows organizations to overcome one of the biggest obstacles to better GRC: Siloed governance solutions for single sites, or even single servers or applications. Adding a single governance solution across all applications hosted on the same platform creates a consistent experience for end users and can provide the cornerstone for a single governance strategy that applies to HR, finance, operations, security, and service management business lines.

Automation. Built-in notifications, workflows, and approvals bring clear efficiency benefits to the ITSM process. Automation helps compliance efforts as well. Setting clear and repeatable workflows for tasks such as onboarding, deprovisioning, and password management – whether it’s for all employees or on a role-based basis – ensures that these processes meet an organization’s governance and compliance needs every time. Automated incident response also helps organizations stay a step ahead of common threats and enables security teams to devote their valuable time to assessing higher-level risks.

Adaptability. Cloud-based platforms make it easy to plug in those new applications that meet specific business needs. Instead of writing custom integrations, developers can drag and drop the functionality they want. In a traditional environment, this would be a governance nightmare, much like the early days of BYOD and shadow IT. But when IGA and GRC solutions are native to the ITSM platform, the processes in place for current systems will apply to the new applications, allowing an organization’s governance strategy to evolve as new apps come online.

Efficiency and productivity. In traditional environments, GRC is often linked to reduced efficiency, whether it’s auditors poring over spreadsheets of redundant data or end users waiting for a response to a service request. When GRC and ITSM are closely linked, governance can happen behind the scenes, both through process automation and the deployment of repeatable rules and policies. This ensures that governance is far less like to interfere with day-to-day activities across the organization.

The elevation of governance. For many enterprises, compliance is a core discipline on the same level as security, ERP, HR, finance, operations, and so on. On the other hand, governance is often a subset of another discipline such as compliance or security, making it even harder for governance initiatives to receive the attention they deserve. When governance is native to ITSM, and governance strategy is broadly applied across the enterprise, then the importance of governance as a discipline is magnified to end users and executive leaders alike.

Not every organization is ready for IGA or GRC on a cloud-based platform. Transforming traditional and legacy ways to the cloud can be disruptive, especially for organizations that can’t afford downtime or that have higher IT, security, or safety priorities in the wake of various COVID-19 challenges. In these cases, more traditional governance solutions will have to do - and there is an abundance of these type of solutions.

For those who have already made an investment in a more modern ITSM solution, though, it only makes sense to get the most value from the platform as possible. Embedding governance into ITSM provides an opportunity to gain visibility into governance challenges, automate key governance processes, and demonstrate to the entire enterprise that governance is a high priority. 

In my third post in this series, I’ll dive into more details about how to make the marriage between IGA and ITSM a happy and healthy one.

Why So Many Organizations Struggle With Governance

Since I started my career within Digital Identity over 20 years ago, the fields of identity and access management (IAM), identity governance and administration (IGA), and governance, risk, and compliance (GRC) have evolved substantially in recent years. Having worked for several vendors within the space (Sun Microsystems, Oracle, ForgeRock), and now heading up the Cyber Security practice for the Nordics at Capgemini, I have noticed hands on, how many governance solutions and strategies haven’t been able to keep pace with rapid advances in cloud-based business applications that can grant employees access from mobile devices and/or remote locations. This has left governance and compliance teams struggling to catch up – and when they’re armed with inadequate tools it will always be an uphill battle.

I’ve seen organizations face a number of challenges as they have tried to implement or improve IAM, IGA, and GRC. In a lot of cases, there’s a snowball effect. One challenge leads to another, which creates an environment where governance is a nuisance and not a best practice, corners are cut at every turn, and trust is in short supply.

Weak authentication

Passwords and authentication will always rank among the top identity management problems for organizations of all shapes and sizes. What many business leaders don’t realize is that this is also a governance problem.

We all know that end users repeat simple passwords to save time, and frankly - who is not guilty of doing that? Part of this is convenience (or laziness), but it also comes down to having to sign into dozens of applications that aren’t integrated and therefore each need a separate log-in. 

As siloed applications proliferate, governance and security teams struggle to keep up with identity management needs across the enterprise.  Not all assets require the same level of security, and certain end users will require escalated responses. Managing these details in a typical Help Desk environment is nearly impossible when business solutions are disconnected.

Provisioning and de-provisioning

Automation has made the process of provisioning accounts easier over time, but that doesn’t necessarily make it better. The old saying “garbage in, garbage out” applies here. If existing users have too many privileges (which is typically the case, as we’ll discuss later), and if access for new users is based on the access that existing users have, then new users will also have too many privileges. This problem is something that I have witnessed at virtually every single client i have ever been at. 

De-provisioning presents its own set of challenges. Without up-to-date details about an individual account, and amid the possible headache of creating a service incident, it’s easier for administrators to leave accounts active even if an employee has left or a contract with an external consultant has ended.  Not only does this make Active Directory a mess – with more accounts inactive than active, and with groups filled with inactive accounts – it opens the door to fraudulent use of existing accounts with excess privilege.

The existence of silos

Silos make IGA and GRC increasingly difficult in two key ways. The first is the traditional on-premises solution for IGA, which like so many other enterprise systems sits in a silo that isn’t integrated with other business processes. Without access to identity and access data across the organization as a whole – especially as workforces are increasingly remote , which have been the obvious case during the COVID-19 pandemic  – siloed IGA products don’t provide the level of real-time insight that governance teams need to effectively manage identity, certification, and privilege. 

The second issue is the siloed nature of the organizations themselves. It’s not uncommon to see localized control requirements and multiple access request tools across business systems from different vendors that have not yet been integrated. Each system often requires its user administration team, which leads to a duplicative and inefficient provisioning process. 

On top of the technical challenges, different departments or locations within the organization may have varying acceptance levels for risk. This can lead to cumbersome approval processes that add little value but delay work requests – or, on the other hand, approvals that don’t receive the necessary scrutiny.

Too many manual processes

As business systems continue to evolve in both sophistication and specialization, they generate increasingly valuable sets of data that can help make intelligent business decisions or meet compliance reporting mandates. But because systems are rarely integrated, structures aren’t in place for retrieving data and using it effectively.  

This has numerous downstream effects. Many data pulls are done manually; as a result, documentation isn’t centralized, and analysis and reporting not only takes more time than necessary but is prone to human error. In addition, auditing becomes difficult, accountability suffers, and leadership has little insight into who’s managing the governance process. 

Inability to segregate duties

Organizations obviously don’t want the authority to approve invoices and release payment on invoices to rest with the same person. But this can easily happen if organizations lack visibility into how applications are used across business functions.

This problem commonly arises when reviews are done in an ad hoc fashion. It’s a manual process, but the fact that it’s a manual process is the least of the concerns. After many manual data pulls and many reviews, managers simply approve all access rather than submit tickets to remove access, leaving the average user with much more access than they need. This also lends itself to a process where employees continually seek out a “friendly” approver for access requests, rather than going through the proper channels where a request is evaluated based on business needs or security requirements. 

On top of that, as we discussed above, the over-privileged access profiles for existing users are simply mirrored for new users in an effort to make things “easier.” But this has the opposite effect, as it opens more unnecessary security holes.

No culture of compliance

All of these challenges taken together mean that governance and compliance are afterthoughts for far too many organizations. They really need to be embedded into everyday best practices and overall culture, with endorsements from executive leadership down to management and rank-and-file end users. When one department fails to comply, the entire organization suffers. There is no excuse for employees not being up to date on the requirements that impact their work, even as regulations change on a seemingly daily basis. 

A big reason for this disconnect is because organizations treat governance as an IT issue and not a program that applies to everyone. If governance is viewed as a siloed IT solution, then organizations will struggle to measure ROI – as implementing access measures and managing identities brings limited value compared to other IT and business initiatives. This only pushes governance further down the priority list and makes risk mitigation even harder.

As you can see, governance presents today’s organizations with numerous challenges that can easily build on top of each other if they aren’t properly addressed. Fortunately, taking the right steps and implementing the right solutions can help set organizations on the right track. 

In my next post, I’ll talk about the actions that organizations can take.