As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Theis Nilsson of Omada dissects the post-2020 world of identity governance, and says it’s time to evolve our thinking of IGA.
The SolarWinds hack in 2020 was one of the biggest cybersecurity incidents of the 21st century, with a massive ripple effect. Adversaries used access to a contractor to take advantage of poor identity management, compromise at least nine federal agencies, and gain access to dozens of other companies. More than two years later, many organizations are still trying to get their houses in order; in fact, at the federal level, the likes of NIST and CISA are working on nailing down guidance on identity access management for government organizations. This incident underscored the fact that organizations can be put at risk even if their systems weren’t the ones directly breached; it showed the hazards that can come with third-party access. All of this underscores the need for solid identity governance administration (IGA).
SolarWinds and Third-Party Access
In the case of SolarWinds, bad actors were able to take advantage of weaknesses in the organization’s supply chain (a method known, appropriately, as a supply chain attack) and insert malicious code into the SolarWinds Orion system. Instead of attempting to penetrate the networks directly, a supply chain attack operates by focusing on a third party that has access to an organization’s systems.
Attackers were able to essentially create a backdoor to access and impersonate users and accounts of Orion’s customers’ organizations. These types of attacks are becoming increasingly common. In fact, Gartner predicts that 45 percent of organizations around the world will have experienced attacks on their software supply chains by 2025.
What this incident revealed was issues with the underlying identity structure at many of these organizations. Identity management must be brought to the forefront when it comes to security.
Ongoing Challenges with Identity Management
While it’s unclear what each organization impacted by the SolarWinds incident had in terms of identity governance and management, what is clear is that many organizations are still struggling when it comes to identity management overall. Too often, they focus on availability to the exclusion of confidentiality and integrity; that is, IT and business teams focus most on ensuring that employees and third parties (like contractors) can gain access to the tools, systems, and files they need with security too often playing a backseat role. Many IT teams are acutely aware of this and can quickly grow frustrated. They’re still struggling with basic things like account orchestration.
At the organizational level, there’s a significant gap in understanding and buy-in between the IT department and company leadership. What’s causing this disconnect? If you’re in higher-level management, of course you’re focused on the day-to-day business, but you’re also looking at the strategic big picture. Within that big picture, you should be looking at how the assets of your company are being protected. IT has to get higher-level management to understand the importance of identity governance and security and connect it to accountability.
Toward Stronger IGA
To begin building a strong identity governance structure, you need assurance that your data is isolated and protected– especially as the supply chain is becoming increasingly complex. You need to ask yourself what is worth protecting and thus what needs to be protected within your organization.
You have to think about what is important to your business– what has business value based on your risk assessment and business impact report. What too often happens is that people do a business impact report, then file it in a drawer and don’t act on it. You need to scrutinize the business value of your data and systems and consider your own accountability. Recognize that this isn’t just the CISO’s job. Awareness of the factors that make identity governance so necessary must be part of everyone’s job.
And everyone’s job is easier with IGA. Modern IGA offers automated security and compliance that’s efficient as well. It reduces cost and uncertainty from managing identities and access by providing full transparency on identity and access risk, enabling users to take action to prevent breaches. Next-generation IGA enables the business through improved provisioning, seamless workflows, and optimized helpdesk capacity. In addition, users never worry about audits or regulatory compliance because today’s IGA has a comprehensive and automated user access overview. Together, this will move the businesses towards true need-to-know / need-to-have practices.
IGA Beyond the Status Quo
Legacy identity and access management solutions must be replaced as businesses concentrate on digital transformations, cloud migration, and empowering their whole workforce – wherever they may work from. Yet almost three years after the Solar Winds breach, in which bad actors took advantage of weak identity management, many organizations are still struggling to get their houses in order.
This status quo cannot stand. Since most users are no longer protected by traditional security solutions, businesses are more vulnerable to threats, which presents a huge opportunity for cyber-criminals. Next-generation IGA has the features modern enterprise needs to stay secure and compliant without interrupting business workflow.
- Beyond the Status Quo: Solidifying IGA in a Post-2020 World - October 28, 2022