7 reasons why your business needs Identity Governance
An Identity Governance solution makes employees' rights and access to the company's systems visible. If your company already has an Identity Management solution, the functionalities often overlaps in practice. Nevertheless, there are distinct differences, and we will further describe seven reasons for why your business needs Identity Governance.
Alexander Friedensburg
04. September 2020
1. Compliance with regulatory requirements
Due to privacy, all companies are required to have control over the management of rights and access to personal sensitive data. Article 32 of the GDPR describes the regulation's requirements for technical and organizational security measures. Although no specific technical arrangements are mentioned, good Identity Governance procedures are necessary to comply with the GDPR's principle of "protection against unauthorized or illegal processing."
Incidents of the type "unauthorized access" are also not limited to outsiders who gain access illegally, but may also include cases where their own employees have access they should not actually have.
Whether the requirement for control entails a need for an Identity Governance solution is up to the individual company. In a dynamic workday with home office, cloud services and generally increased digitization, however, it is difficult to imagine how regulatory requirements can be met without a suitable solution.
The tasks of an Identity Governance solution are to structure the allocation of rights and access, make the actual situation visible and document the implementation of the organization's control routines. Thus, the solution contributes to compliance with imposed regulatory requirements.
2. Risk management
We hear often about data breaches and leaks, also here in the Nordic region. The dark numbers are assumed to be significant. The costs associated with lost reputation and income quickly exceed what the appropriate safety measures would have cost. Sometimes the incident even threatens for further operation.
The Identity Governance solution takes a proactive approach by limiting and protecting access to sensitive data, thereby reducing risk.
The solution is usually based on the following three principles:
- Allocation of rights based on "Least Privilege". Although we trust that our own employees do not abuse access they do not need, this increases the attack surface that can be exploited in connection with identity theft.
- Remove "Orphaned accounts". That is, accesses that belonged to former employees or that for other reasons are no longer linked to an existing user.
- Monitor compliance with "Segregation of duties (SOD)". The important risk management principle requires that certain actions should be performed by more than one person. An example of the latter is that one person makes a payment, while another approves the transaction.
3. Get an overview
"What you measure is what you manage." Identity Governance routines involve keeping track of accesses and regularly checking the need for these. Exercising control, however, presupposes insight into the actual situation. The challenge is often that this overview is spread across the company's various systems and becomes cumbersome to compile. It is difficult enough for IT to retain control, and for department managers it is then almost impossible.
The advantage of an Identity Governance solution is that it compiles and presents this information in such a way that it is understandable to department managers and security managers.
The solution will also carry out so-called certification campaigns where department managers, for example once a quarter, are asked to confirm what roles and rights their employees will continue to have. This is a central Identity Governance process that the solution facilitates and documents. This is how the company proves that it performs this important control function.
4. Involves the business side in the security work
It is a misunderstanding to assume that the IT department alone should have, and even can have, the responsibility for the information security. The department often does not have the prerequisites to assess who should have which access. Access management is a business process, and it is especially team managers and department managers who bear this important responsibility. After all, it is they who have an overview of the employees and what tasks they are set to perform.
An obvious prerequisite for managers to be able to control and monitor access is that they get an overview of this information. An Identity Governance solution presents this in a non-technical way, so that managers quickly get an overview of existing roles, accesses and rights.
Only when the managers can order access on behalf of their employees, approve application orders and confirm, possibly remove access, does the company have managed to involve the managers in the security work.
5. Cost control
Applications that are neither relevant for the employee to have access to, should have access to or are even used at all, often constitute a significant and unnecessary licensing cost for the company. The cost associated with the time the IT department spends on the administration of all the accesses is also significant.
An Identity Governance solution involves the department managers and thus minimizes the time IT spends on administration. In addition, licensing costs can be made visible as a dimension the department managers must decide on.
6. Identity Management alone is not sufficient
An Identity Management solution creates users and provides access to corporate applications. It is an important step towards centralized control, but it is not completely waterproof. Administrators in these associated applications can still create users and accesses outside the solution. In many cases, an Identity Management solution will not even detect such changes.
An Identity Governance solution, on the other hand, has an overview of accesses that are actually set up for each associated application, and reports any discrepancies.
7. Complements Identity Management
If the company already has an Identity Management solution, it is hopefully well accustomed to allocating rights. Such a solution has its strength in synchronizing user attributes between the systems, as well as automatic creation and removal of accesses.
Unlike an Identity Governance solution, an Identity Management solution is usually not suitable for presenting the assets in a useful way to the department managers. It also has no functions to perform periodic checks delegated to them. Thus, an Identity Management solution is not as suitable if the goal is to involve the entire organization in the work with information security.
Fortunately, it is possible to complement an existing Identity Management solution with an Identity Governance solution to add control features. Then the company does not have to throw overboard all the investments that have been made in the existing solution, and can optimize the security work with good Identity Governance routines.