SPHERE Insights is an ongoing column written by various members of the SPHERE team, highlighting unique viewpoints and expertise. This article comes to us from our head security expert, Douglas Bayne.
When it comes to Risk & Compliance in 2021, companies will need to have an increased focus on access controls and governance across all of their business assets worldwide. This will include all platform access, all in-house and third-party applications, all repositories that store potentially sensitive unstructured data, including end-user access and privileged access. More importantly, how will IT security intend on managing entitlements moving forward with an evergreen process is a pivotal requirement. Inventory, usage, and ownership are critical. Standardizing access and remediating violations or failed audit points should be a priority for minimizing the potential risks of internal and external data breaches as well as ensuring regulatory compliance and overall proper governance. Unfortunately, there are a few challenges to getting there.
- Lack of Coverage: On average, organizations have only been able to onboard half of their applications, systems, and platforms into critical Identity and Access Managment (IAM) workflows. That translates into unknown inventory and major gaps in access management.
- Poor Data Quality: Nearly 30% of ownership data, entitlement inventory, and the metadata associated to it is accurate, complete and/or up-to-date. For most organizations who have been around a while, data quality issues are a typical problem across many of the books of record. For any organization deploying or managing IAM data, it is well worth the time to normalize that bad data in always means bad data out.
- Zero Automation: A small fraction (only about 20%) of the necessary analytics are fed into IAM systems automatically, making regular, ongoing compliance workflows virtually impossible to perform. This translates into very manual, very costly and ineffective access review and certification processes that become a distraction to the lines of business and increases risk and the potential for a data breach.
- Lack of Actionable Intelligence: In large IT organizations, relevant user and application information comes from disparate and, in most cases, proprietary data sources such as HR and one of the main reasons why having the ability to integrate, correlate, as well as normalize third-party or proprietary data feeds is critical. Lacking the ability to report on excessive privileges as well as identifying and remediating permissions will certainly result in failed audits or worse.
- Inability to Maintain a Clean State: Automating the remediation process requires experience, expertise, and relevant, in-depth reporting for effective entitlement reviews. Not having the proper insight and automated processes to feed ownership and valid user information into existing IAM systems will only serve to amplify access issues over time.
Overcoming these challenges will lay the groundwork for a deeper, smarter, and more efficient way to reduce risk and better manage any corporate Identity and Access Management program. Whether the corporate IAM journey has just started or is in a later stage of deployment, SPHERE can help. Learn about SPHERE‘s Tech-Enabled Managed IAM Automation.