I spend the majority of my time talking to customers and prospective customers within the UK government about their approach to Identity Security, also known as identity governance or identity management. The majority of time I get a response along the lines of “we have addressed that” or “we have done RBAC” but when I probe deeper it normally transpires that the approach has been a ‘one and done’ in each of these areas on a tactical or project basis. Why is this the wrong approach?
This approach is a good one if the objective is to do a ‘clean up’ of your active directory, permissions, or to have a small number of base roles defined that will be manually built upon. However, the outputs from this exercise will only work for a brief period of time before the “cleaned up” mess becomes a tangled web of undefined permissions, access and a multitude of roles appears as the base roles are insufficient for the organisation.
Identity Security is an organisational (business) challenge and needs to be addressed as such. An integrated and comprehensive approach supported with appropriate levels of resources should be a fundamental foundation of your cyber strategy. A solution with data visibility and business insights can help you make better and faster access decisions, proactively spot risks, and maintain a strong identity security posture.
I have previously written about securing the perimeter of an organisation as without this all other security measures become weakened. Identity security from the outside in (employees/non-employees through to integrated/automated application access & removal; recertification of access permissions) is pivotal to preventing bad actors from penetrating your organisation.
Working in this part of the industry I see how technology companies like to position their products from the tactical solutions to the integrated platforms but fundamentally this is an organisational structure and process challenge as opposed to being solely a technology challenge.
If you liked this content…
According to Verizon’s Data Breach Investigations Report 2024, 68 percent of security breaches in 2023 had a human failure element to them.
So rather than evaluating the features of technology solutions I recommend that organisations map out their internal processes identifying all potential journey’s humans can make when accessing their systems. Are your Joiner, Mover, Leaver processes robust and timely? How do you manage contractor/non-employee/business partner access to key systems? What is your process for recertifying that humans continually have the appropriate levels of access to the correct systems for their role?
This is not an exhaustive list but once you have identified what really happens in your organisation then you can make decisions as to how to apply technology to help solve them.
I am advocating a holistic approach to understanding your organisation as without this regardless of your approach to Identity Security, technology can only take you so far.