Understanding Enterprise Identity Governance in 2019

Understanding Enterprise Identity Governance in 2019

Every cybersecurity solution works to answer particular questions. Endpoint security answers questions like “How can we secure our digital perimeter?” SIEM answers questions like “How do we know if a hacker has already penetrated our network?”

Identity governance and administration, often shortened to IGA or identity governance, answers different questions. How can enterprises ensure the permissions their users have are appropriate to their roles? Can enterprises prevent users from accumulating unnecessary privileges? How can enterprises improve their visibility into their users’ identities?

If your enterprise doesn’t ask itself these questions, you may find yourself on the backfoot dealing with external and internal threats alike.

Identity governance is one of the most neglected branches of cybersecurity. Yet every enterprise needs to adopt—or update their current—identity governance in 2019.

What does identity governance in 2019 look like? Why do enterprises need it?

Here are our predictions:

Identity Governance in 2019: Setting the Stage   

SailPoint, a major identity governance and administration solution provider, conducted the first ever 2018 Identity Report and released their findings recently. They found a significant lack of maturity in enterprises’ identity governance processes, even as they adopt identity management technologies. Taken all together, their findings highlight the need for identity governance in 2019.

These findings include:  

  • Only 20% of enterprises have visibility over all of their users.
  • 7% have no visibility whatsoever.
  • 88% of enterprises are not governing access to data stored in files.
  • Only 10% of enterprises monitor and govern user access to data stored in files.  

Kari Hanson, Vice President of Corporate Marketing, SailPoint said in a statement announcing the 2018 Identity Report: “The ultimate goal of any identity program is to efficiently deliver access to users, securely and confidently.”

“When enterprises are able to see, understand and govern their users’ access to all business applications and data, they are better protected against potential threats. This turns identity into a business enabler for organizations, helping them to properly secure and govern all of their digital identities at the speed of business today.”

Hanson’s comments cut to the heart of the issue. Her statement, and the findings of the SailPoint 2018 Identity Report, emphasize the main reasons enterprises need identity governance in 2019: visibility and control, automation of employee-driven processes like password management, and compliance.

Identity is More Than Just Employees

When thinking about identity governance, enterprises often fall into the classic trap of thinking only about the individual users operating under their purview: their employees.    

Indeed, cybersecurity experts frequently refer to employees as “the largest attack vector in any enterprise’s network.” This is far from an exaggeration, but it limits the understanding of IGA’s necessity. Put another way, access control, access management, role management, and access creep aren’t just concerns for enterprises with large primary workforces.

All enterprises must consider their contractors, partners, and other third parties when considering access management and identity governance in 2019. If they have access to the network, their permissions should be as strictly controlled and monitored as any of your employees.

Furthermore, your identity governance in 2019 must extend beyond the identities of people. It must extend to the identities held by applications and software. These can move through your network and access data in much the same way a human user can. Allowing them free reign in your databases can only lead to serious issues down the road. Application identity governance and administration is only going to become more important as cloud applications and cloud architecture continue to transform enterprises.

IGA Must Take Control of The Data Itself, Not Just the Identities

To mimic a well-known public service announcement: Do you know where your data is right now?

A common misunderstanding about databases and proprietary digital assets is they are static; enterprises can guard them the same way they could guard an analog vault.

Granted, this assumption is not an unexpected or even an unreasonable expectation. However, it fails to take into account the modern mobility of data. Data moves: it gets transferred over email, stored in the cloud, incorporated into presentations, files, and other less secure assets. Who knows how many PowerPoint and PDF files your most sensitive data is a part of currently.

Identity governance in 2019 must be capable of securing these parts of the network as well, monitoring where your most important data goes, who moved it, and when. This will allow it to ensure only users with the proper permissions has access to proprietary data even if it elsewhere in the network…and thus prevent a potential data breach.  

Identity Governance Must Partner With PAM

Of course, maintaining proper role management through identity governance in 2019 makes a key assumption. Namely, the users logging in are the users to whom the account belongs.

Password sharing, stolen credentials, and phishing attacks can place your employees’ identities at severe risk; this applies doubly if the employees in question have significant administrative powers within the network. By incorporating strong privileged access management with your IGA solution, you can prevent hackers and insider threats from turning your role management against you.

This can include implementing granular authentication, implementing multifactor authentication, and deploying behavioral analysis to observe discrepancies.

In summary, identity governance in 2019 will not be a panacea. It must be a part of a comprehensive cybersecurity platform, made of well integrated and well-thought-out solutions.

2018 witnessed some of the worst enterprise-level data breaches in history. Don’t repeat the mistakes of the past, else you become a mistake of the past for someone else.  

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner