Why identity security is a government must-have

Employee onboarding and access to organisation apps and work areas are vital to any job and crucial to productivity. The importance of onboarding and access rights became evident when I worked for a government outsourcer. The onboarding process for new employees at the organisation could take up to six weeks; until then, access to services was limited. During the long onboarding process, costs racked up and were covered by both the outsourcer and central government. Notably, the employee was frustrated by the lack of access to important work areas. This lack of access led to de-motivation, driven by an inability to deliver productivity and value at a crucial time in an employee’s work history. Added to this were potential security gaps opened by a lack of visibility and access governance during this period.

Both central and local governments must optimise their onboarding and access rights to ensure employees have appropriate rights to do their jobs while maintaining robust identity security. 

How big is the access control problem?

According to December 2022 figures from the Institute for Government, there are 483,450 civil servants employed by the government in the UK. These figures show an increase of 1.8 percent from the previous year. However, this doesn’t include the thousands of external consultants, which according to analysts Tussell Ltd,[SP1]  were awarded over £2.8 billion in consulting contracts in 2022.

The Verizon Data Breach Investigations Report for 2022 found that a human element was involved in 82 percent of data breaches. These half a million people working in government are at the forefront of potential data breaches, from unauthorised access, accidental exposure, social engineering, etc.

Mix these threats with employee frustration and the negative productivity impacts of slow identity onboarding, and you have an access control storm.

Why government must prioritise identity security

Local and central government departments are the custodians of citizen data. As the protector of sensitive information, government employees must maintain high data security access and control levels. Mechanisms that enforce data security are essential in systems that run on data. Without adequate security policy enforcement, government employees become a sitting ducks.

Results from the Office for National Statistics (ONS) Data Security Incident Trends recorded 4,572 cyber and non-cybersecurity incidents in local and central government sectors during Q4 2022 alone.

Interestingly, while this data shows that cyber incidents are generally decreasing in local and central government, access control and unauthorised access incidents are increasing over the same period.

General decrease in all types of security incidents for central and local government.

General increase in unauthorised access for central and local government.

This is evidence that proper access control for government employees is desperately needed. These results point to a lack of controlled identity provisioning, which can result in , error and an expanded attack surface. Manual provisioning can result in costly productivity delays and generates security risks and overwhelmed IT teams resort to over-provisioning or rubber-stamping access. .

Identity Security helps mind the “access control security gap” 

Manual monitoring and managing of hundreds of applications to many thousands of employees that require access can lead to security gaps. Unattended security gaps, where identities are not deprovisioned, and off-boarding is not performed promptly, result in uncontrolled access rights; these gaps leave open doors for cybercriminals to enter. AI automation drives identity security; this process replaces cumbersome manual mechanisms to assign access rights that reflect policies and regulations automatically. 

Circling back to my experience dealing with complex access control situations and employees. Back then, if the management of Identities was handled with AI-driven automation, switching the correct access restrictions on and off would have been a quick, painless, and secure mechanism. This would have freed up valuable time to direct towards driving value for government employers and their customers (citizens).

The granularity of access across sensitive areas, such as benefit systems, is an example of the complex nature of access; lost control leads to security gaps and productivity issues. In a complex access control web, automation is an essential factor in applying the right level of control to the right individual at the right time.

How identity security provides robust controls for government

Identity security ensures that user access for every worker is performed optimally and with the precise rights needed to do their job: no more, no less. 

Once in place, SailPoint identity security solutions enable departments to provide automated provisioning that closes open doors. The benefits of identity security include the following: 

• Faster on-boarding: onboard efficiently and accurately, ensuring users get fast access to the systems and data they need to perform their jobs and nothing more. 

• Dynamic least privilege: least privilege is an essential aspect of effective identity security. To protect data and applications, access is only granted per user for the minimum time required and enforced on a per-resource basis, as necessary to perform the task.

• Efficiency, productivity, and security: ensuring the right users get the right access to applications, systems, and data at the right time is key to balancing efficiency and security.

• Robust data security: robust enforcement of data access control ensures users are whom they say they are and have the right to access the data. Problem areas, including accidental data exposure and unauthorised access, are mitigated. 

• Regulatory compliance: having robust access control to data ensures that a government entity adheres to data protection regulations such as UK GDPR and the upcoming NIS2 directive.

Mitigating security incidents in government using identity security

Access and security are a delicate balancing act, but one that SailPoint has mastered using a combination of the following technologies:

• Data intelligence provides AI-enabled data insights for decisioning and policy insights.
• Automation facilitates the customisation of workflows and access processes, improving the accuracy and speed of provisioning and enforcing least privilege controls.
• Integration across the entire ecosystem ensures all employees, all apps and all data are controlled by Identity Security.

This triad facilitates the approach needed to secure government data effectively; employees are swiftly onboarded, unauthorised access is prevented, and the right to access privileges is enforced. 

If you’d like to see how SailPoint’s solutions can create secure government, contact Matthew Cooper, UK Government Lead for SailPoint.

Think Digital Partners were pleased to work with SailPoint on this sponsored content.