SailPoint: It’s time to talk about securing identity from within

Securing digital Identities is a hot topic across UK government. However, government departments tend to think of this from the perspective of citizen access to services – but it’s just as important to approach the topic from an internal perspective too, according to identity security company SailPoint.

“If you look at central government, there’s over 450,000 civil servants as employees, and then thousands of contractors and service providers all working and providing critical services, and the biggest threat comes from within typically. This is because a lack of security, people having access to applications where [it’s not] appropriate for them to do so,” explained Matthew Cooper, client director – central government at SailPoint.

Speaking at the recent Think Digital Identity for Government event in London, Cooper (pictured with fellow panellists) said the management of employee and non-employee digital identities has become a must-have for UK government departments.

“Managing identities helps to drive security efficiency and service improvement, because there’s a lot of efficiencies to be gained through managing identities effectively on an internal basis,” he said.

Bank of England’s approach to identity management

Danny King, manager, solution engineering (UK&I) at SailPoint, acknowledged much of government’s focus has been on securing citizen-facing services to date, especially with the public spending more time online. However, internal identity is starting to receive more of that focus, “from a risk reduction perspective, but also with the need to make processes more streamlined, scalable, and cost effective.”

Indeed, in her role as cybersecurity governance and assurance manager at the Bank Of England, Karen Thorogood, said her focus is on managing human identity all the way through the lifecycle.

“In the Bank of England, we have really strict oversight; access management is a real hot topic. We do have a bunch of security controls around access management, and they must always remain within risk tolerance. And as you’d expect, bank has a very low risk appetite.”

Her advice hinges on a multi-step process. She explained: “Automate, automate, automate in the identity lifecycle. Management process is really key. Have governance on top of this. And then also challenge and investigate where wherever there is human intervention, just to make sure that you’ve got assurance on top of your identity management.”

Demonstrating value

Mike Nelsey, director, risk consulting at KPMG, weighed in on the need to demonstrate the value of adopting an internal identity management strategy.

“The [ROI] comes in security, which is sometimes measurable, [and] it comes in efficiency, because we forget that a lot of what we do is really inefficient, because we’ve put layer upon layer of process to make sure that what we’re doing is safe. And actually, by doing that, we make it less safe.”

To that point, King laid out a number of key action points for adopting an internal identity programme.

Partnerships: “Selecting an optimal platform and then having the ability to expertly deploy into the estate of the department or the organization, along with use of innovative technology to accelerate those results.”

Planning and prioritisation: “Defining those key deliverables and milestones will focus on securing the key applications first, and then using that as a blueprint for repeated success, as opposed to a big bang approach where you’re trying to get everything done at once, and realistically achieving very little.”

Defining executive sponsorship, and then stakeholder management: “A crucial point is agreeing executive sponsorship from the outset that’s going to assist with championing the project internally.”