torsdag 15 oktober 2020

Why So Many Organizations Struggle With Governance

Since I started my career within Digital Identity over 20 years ago, the fields of identity and access management (IAM), identity governance and administration (IGA), and governance, risk, and compliance (GRC) have evolved substantially in recent years. Having worked for several vendors within the space (Sun Microsystems, Oracle, ForgeRock), and now heading up the Cyber Security practice for the Nordics at Capgemini, I have noticed hands on, how many governance solutions and strategies haven’t been able to keep pace with rapid advances in cloud-based business applications that can grant employees access from mobile devices and/or remote locations. This has left governance and compliance teams struggling to catch up – and when they’re armed with inadequate tools it will always be an uphill battle.

I’ve seen organizations face a number of challenges as they have tried to implement or improve IAM, IGA, and GRC. In a lot of cases, there’s a snowball effect. One challenge leads to another, which creates an environment where governance is a nuisance and not a best practice, corners are cut at every turn, and trust is in short supply.

Weak authentication

Passwords and authentication will always rank among the top identity management problems for organizations of all shapes and sizes. What many business leaders don’t realize is that this is also a governance problem.

We all know that end users repeat simple passwords to save time, and frankly - who is not guilty of doing that? Part of this is convenience (or laziness), but it also comes down to having to sign into dozens of applications that aren’t integrated and therefore each need a separate log-in. 

As siloed applications proliferate, governance and security teams struggle to keep up with identity management needs across the enterprise.  Not all assets require the same level of security, and certain end users will require escalated responses. Managing these details in a typical Help Desk environment is nearly impossible when business solutions are disconnected.

Provisioning and de-provisioning

Automation has made the process of provisioning accounts easier over time, but that doesn’t necessarily make it better. The old saying “garbage in, garbage out” applies here. If existing users have too many privileges (which is typically the case, as we’ll discuss later), and if access for new users is based on the access that existing users have, then new users will also have too many privileges. This problem is something that I have witnessed at virtually every single client i have ever been at. 

De-provisioning presents its own set of challenges. Without up-to-date details about an individual account, and amid the possible headache of creating a service incident, it’s easier for administrators to leave accounts active even if an employee has left or a contract with an external consultant has ended.  Not only does this make Active Directory a mess – with more accounts inactive than active, and with groups filled with inactive accounts – it opens the door to fraudulent use of existing accounts with excess privilege.

The existence of silos

Silos make IGA and GRC increasingly difficult in two key ways. The first is the traditional on-premises solution for IGA, which like so many other enterprise systems sits in a silo that isn’t integrated with other business processes. Without access to identity and access data across the organization as a whole – especially as workforces are increasingly remote , which have been the obvious case during the COVID-19 pandemic  – siloed IGA products don’t provide the level of real-time insight that governance teams need to effectively manage identity, certification, and privilege. 

The second issue is the siloed nature of the organizations themselves. It’s not uncommon to see localized control requirements and multiple access request tools across business systems from different vendors that have not yet been integrated. Each system often requires its user administration team, which leads to a duplicative and inefficient provisioning process. 

On top of the technical challenges, different departments or locations within the organization may have varying acceptance levels for risk. This can lead to cumbersome approval processes that add little value but delay work requests – or, on the other hand, approvals that don’t receive the necessary scrutiny.

Too many manual processes

As business systems continue to evolve in both sophistication and specialization, they generate increasingly valuable sets of data that can help make intelligent business decisions or meet compliance reporting mandates. But because systems are rarely integrated, structures aren’t in place for retrieving data and using it effectively.  

This has numerous downstream effects. Many data pulls are done manually; as a result, documentation isn’t centralized, and analysis and reporting not only takes more time than necessary but is prone to human error. In addition, auditing becomes difficult, accountability suffers, and leadership has little insight into who’s managing the governance process. 

Inability to segregate duties

Organizations obviously don’t want the authority to approve invoices and release payment on invoices to rest with the same person. But this can easily happen if organizations lack visibility into how applications are used across business functions.

This problem commonly arises when reviews are done in an ad hoc fashion. It’s a manual process, but the fact that it’s a manual process is the least of the concerns. After many manual data pulls and many reviews, managers simply approve all access rather than submit tickets to remove access, leaving the average user with much more access than they need. This also lends itself to a process where employees continually seek out a “friendly” approver for access requests, rather than going through the proper channels where a request is evaluated based on business needs or security requirements. 

On top of that, as we discussed above, the over-privileged access profiles for existing users are simply mirrored for new users in an effort to make things “easier.” But this has the opposite effect, as it opens more unnecessary security holes.

No culture of compliance

All of these challenges taken together mean that governance and compliance are afterthoughts for far too many organizations. They really need to be embedded into everyday best practices and overall culture, with endorsements from executive leadership down to management and rank-and-file end users. When one department fails to comply, the entire organization suffers. There is no excuse for employees not being up to date on the requirements that impact their work, even as regulations change on a seemingly daily basis. 

A big reason for this disconnect is because organizations treat governance as an IT issue and not a program that applies to everyone. If governance is viewed as a siloed IT solution, then organizations will struggle to measure ROI – as implementing access measures and managing identities brings limited value compared to other IT and business initiatives. This only pushes governance further down the priority list and makes risk mitigation even harder.

As you can see, governance presents today’s organizations with numerous challenges that can easily build on top of each other if they aren’t properly addressed. Fortunately, taking the right steps and implementing the right solutions can help set organizations on the right track. 

In my next post, I’ll talk about the actions that organizations can take.



Inga kommentarer:

Skicka en kommentar

The Whats, Whys, and Hows of XDR

Preventing security incidents is one of the primary goals of any security program. This should come as no surprise, and with today's eve...