Identity Governance Has a Permission Problem
Identity governance is quickly becoming top-of-mind for CISOs. Identity governance requirements emerged two decades ago when Sarbanes-Oxley (SoX) and other regulatory mandates were born in the wake of the dot-com bust. Compliance controls, such as user access reviews and the need to efficiently manage the life cycle of employee access, were the drivers for identity governance back then. In recent years, rapid cloud adoption has made identity significantly more business-critical. Today, cloud data breaches are rooted in identity exposures, and proactive identity security is even more important than identity compliance and life cycle management. Most organizations need identity governance more than ever, but sorting through confusing vendor messaging, new security requirements and organizational ownership issues can be difficult.
What is Identity Governance?
Identity governance is about making sure that the right identities always have the right enterprise-wide permissions. To support this, all accounts, groups, roles and granular entitlements across enterprise infrastructure and applications must be configured appropriately for all users, machines and APIs. For user identities, these permissions need to be job-appropriate. For machine identities and APIs, the permissions need to be appropriate to technical or business requirements.
Constant changes in an organization, new applications, dynamic data resources and cloud workloads, new and departing employees and changing job responsibilities complicate identity governance. Permissions need to be continuously monitored, reviewed, provisioned and de-provisioned based on a variety of change events and compliance and security policies.
The recognition of identity as the new security perimeter in the cloud is driving a new set of governance requirements. Platforms like AWS, Azure or GCP and critical applications like Okta, Snowflake, NetSuite or Workday need to be proactively monitored for access exposures. Access risks that need preemptive remediation include unused and orphan accounts, unnecessary service accounts and third-party or API permissions that lack business justification. In addition, change monitoring has become essential; every change to a security setting and every new permission is a risk that needs scrutiny and validation.
Process and Ownership
Since identity touches every aspect of running a business, identity governance processes involve many stakeholders, from supervisors and system owners to compliance, security, IT and audit staff. With the decentralized administration of SaaS applications, there are often hundreds of application owners across an organization who make application-specific access decisions but are not accountable for security and compliance.
Identity governance deployments are usually championed within an enterprise by the identity team or the IT service delivery team. These teams understand compliance and life cycle processes but rarely get involved with threat remediation and response. The enterprise security operations team is responsible for security posture and threat detection and response, but this team often doesn’t appreciate the complexities of identity management processes and application-specific access. Governing identity and access holistically across these silos of ownership is a challenge for CISOs and CIOs. Many enterprises struggle to get alignment across system owners and identity, IT and security teams around who owns what and how to bring all these stakeholders into appropriate technology-driven processes.
Legacy Identity Governance
The first generation of Identity governance products was focused on compliance and life cycle management, not enterprise security. These on-premises, legacy solutions were designed to integrate with on-premises applications and infrastructure and needed a lot of manual attention for deployment and maintenance. Vendors have tried to “lift and shift” their legacy offerings into the cloud, but transplanted offerings lack important features and, much like the on-premises versions, require long and expensive professional service engagements. Gartner estimates that 50% of identity governance deployments of this ilk are in distress. Legacy solutions also fall short in supporting integrations with SaaS and cloud applications. Perhaps most importantly, these solutions don’t address emerging security requirements around posture management and identity threats.
Identity Providers
A newer take on identity governance has emerged in recent years. Identity provider vendors that gained significant traction as cloud business enablers providing directory, authentication and single-sign-on services have also added some identity governance features. These vendors can track who can sign on to a system and any system permissions that map to group memberships, but they can’t easily deal with permissions that don’t map to groups. Identity providers use a permissions model that is too limiting, and their connectors for applications and infrastructure can’t read and write permissions at a granular level. Use cases around audit, compliance, and security demand a complete and accurate view of permissions which these vendors can’t provide.
Identity Security: A New View of Identity Governance
The modern approach to identity governance is security-first and automation-centric. New entrants in the market support proactive security controls and threat detection, together with compliance and lifecycle management, enabling identity and security operations teams to work together on a robust access posture across the enterprise attack surface. The new solutions are SaaS-based and offer a simpler user experience and deployment model. They also deliver automation to make it easier to integrate with all the systems in use in an organization, to dramatically reduce the manual work expected from stakeholders and to quantifiably track the progress of governance processes. As a result, this new generation of solutions is very effective in driving rapid time-to-value and delivering business outcomes quickly without prolonged professional services engagements. With machine learning and AI increasingly powering automated governance, these solutions have a promising future.
Conclusion
Identity is fundamental for business operations, which makes identity governance a must-have. New security requirements and cloud scale are driving organizations to rethink technology drivers and solution choices and to consider addressing identity governance with a new, purpose-built and automated approach that delivers value quickly and predictably.
