Research firm, the Ponemon Institute, recently presented the findings of its study, “Global Trends in Identity Governance & Access Management,” a study designed to understand companies’ ability to protect access to sensitive and confidential information and what they believe is necessary to improve the protection.
The report offers several insights and trends have been picked up from responses to it. Most are obvious, well-understood issues we’ve faced for some years, while a few are emerging as the technology continues to take more of a central role throughout organizations. Some of the highlights include: Employees are frustrated with access rights processes, and IT security efforts are considered a bottleneck. In most cases, those who need assistance say that IT teams are slow to respond to requests for service.
Control over access management is reportedly decentralized by many organizations, Ponemon says; however, some technologies are considered to be an important part of meeting identity governance and access management requirements, and a single-factor authentication approach is no longer effective (such an approach has not been effective for some time actually), and, apparently, the most difficult access policies to implement are those for enforcing access policies in a consistent fashion across all information resources in the organization.
Also, as is usually the case in most organizations: End users have more access than they should, like a result of poor account management or access bleed. Another factor that plays into this are cases of copying and pasting access credentials of employees who share similar rolls to others in the organization, and access creep – which is a fancy way of saying that employees collect access over a period of time as they take on projects or roles and access gained in the past is never revoked. These folks are like access snowballs: The more they roll through the organization the more access rights they pick up until they are large and cumbersome to move.
Ponemon also pointed out that new threats continue to create disruption and reduce organizations’ ability to mitigate governance and access management risks, and disruptive technologies, including IoT, is likely a concern for identity and access governance managers. But, effective identity and access governance across the enterprise is achievable.
Despite this, most organizations deploy access governance solutions in high numbers, even more so than other “security” technology. They are not receiving the levels of return for their investment from a financial standpoint. One reason for the overwhelming number of implementations might be organizational compliance – to audits, to better manage processes like HIPAA — while the answer to the ROI question may be that organizations just are not properly utilizing the AG solutions. Perhaps.
Access governance solutions are not designed solely for compliance uses, though, an important function of the technology. Governance solutions are meant to reduce risk of your employees inappropriately accessing information inadvertently or deliberately creating a security breach. Additionally, access governance allows you – IT and organizational leadership – to see who is doing what and when across an environment no matter where the employee is located within your environment.
While compliance is an admirable goal, access governance and data protection is the ultimate goal. In so doing, an increased return on in investment likely will quickly follow. ROI can be measured in several ways, but since access governance doesn’t directly contribute to revenue growth, measurement should be shown by the amount of risk reduced. For example, no access revocations flagged in your system? A good indication of this may be if your management team is simply copy and pasting access rights based on other roles on their teams or if they are rubber stamping access rights for whomever requests them.
Another factor to keep in mind for reviewing and reducing access rights are how often jobs and roles change in your organization, if you contract workers that may no longer need access to data, whether employees switch projects from time to time and report to different managers, and if the organization adds new people regularly. Each of these factors – which every organization faces – can be improved by the use of automated access governance solutions.
Improving access governance protection means you must evaluate the current state of your identity governance situation and apply corrections based on your specific business conditions. Tracking these functions will not only get you an approximate ROI for your organization’s identity governance solution, but using these solutions as a stopgap measure can prevent users from gaining too much access in the first place.