In an economy driven by information, data has always been every organization’s most important asset, and cyber-criminals know this, which is why they almost always start an attack by compromising credentials – and from there, move to other levels of privilege until they reach their ultimate goal: data.
Acknowledging this, boards, C-suite executives and IT security teams have always ranked data governance as a top priority. Yet the strategies used to execute on this critical function have changed dramatically over the years.
In the days before mobile and cloud computing caused a massive diffusion of IT architecture and resources, data governance was much more manageable. Most data lived inside a corporate data center or within a company’s four walls, so IT security teams had a good handle on where their data resided, who had access to it, how it was being used, and what security vulnerabilities existed.
Today, though, due to cloud, mobile and digital transformation, we are in uncharted territory. Data is created at a volume and velocity never before experienced. It resides in more places across dynamic, distributed, hybrid infrastructures and it is accessed by more people, in more ways, and on more devices. On top of all this, data, user access requests and the current network state all change at a faster rate than we’ve ever witnessed.
In this new environment, where it is impossible to build virtual walls around data, identity has become the new perimeter. If organizations can carefully manage who has access to applications and data, then they can accomplish the same objectives as the old perimeter – keeping unauthorized people out of corporate IT assets.
Historically, identity has been managed through identity and access management (IAM) products alone, which were optimized around provisioning and deprovisioning employee accounts.
With digital transformation, however, applications and data are exposed to non-employees as well: partners, customers, complete strangers all need different levels of access to different applications and data. This has required a different approach to IAM – one that examines the discipline through a lens of digital transformation by optimizing people, process and technology.
Out with the Old, In with the New
Traditional IAM programs are highly tactical, typically consisting of a collection of point solutions and siloed processes that focus on protecting access to data, applications, systems and other resources that contain sensitive data and have regulatory requirements. This approach worked fine in the old perimeter days but with today’s complex, highly distributed infrastructures, the traditional approach to IAM can no longer effectively track, manage and protect data and access. In fact, it can actually come into direct conflict with digital transformation initiatives.
For example, IAM rules often create access roadblocks that slow down digital transformation technologies and processes. Hindering speed, a critical component of digital transformation success, can have detrimental consequences on the business – so much so that DevOps and business departments often prioritize speed-to-market over security. When this happens, projects get pushed to the cloud and into product without IAM measures in place, which leaves critical data exposed and heightens the risk of unauthorized access, non-compliance, data breaches and other nefarious activity.
The single most important thing any company can do to prevent data breaches and non-compliance in a digital transformation world is to provide ubiquitous identity management – or identity-defined security.
Identity-Defined Security is Within Reach
The reason why most modern IAM initiatives fail is that organizations underestimate their scope. They treat IAM as a “project,” when it really is an ongoing discipline. They also underestimate the resources required to make an IAM initiative successful.
Successful IAM deployments operate on a scale commensurate with enterprise resource planning (ERP) deployments – which may seem like an enormous undertaking. Just as ERP systems are usually the single most important IT assets in companies, IAM, when done right, is the single most important security asset.
Companies that can effectively manage all of their assets and data can dramatically reduce the likelihood of data compromise and compliance violations in an age of digital transformation – this is the power of identity-defined security.
Just as ERP deployments are never “done,” because they are the foundational business system and business always changes, IAM deployments are also never “done,” because IT and digital transformation initiatives are constantly evolving and bring with them constantly changing identity requirements.
The fact that IAM is a major undertaking should not be an impediment toward starting the journey to identity-defined security. The best way to start is to develop a prioritized IAM roadmap focused on organization-specific risks and business objectives. From there, establish a comprehensive understanding of every person who works for or with (don’t forget third-parties) your organization, what data they have access to, and how they’re using it.
Once this information is understood, move forward with basic IAM controls, such as access control, user lifecycle management and access governance. From there, you can tackle more advanced controls and strategies, such as:
- Assembling a committee tasked with unifying data governance and IAM programs.
- Assigning roles for data owners and data stewards, beginning with the most critical and sensitive data.
- Developing and implementing data classification and handling standards, including compliance, privacy, and security requirements and controls.
- Defining KPIs to measure adherence and maturity of data governance and IAM programs.
- Applying and monitoring least privileged access to enterprise and customer data – no matter where it resides.
Digital transformation has created a host of new vulnerabilities and threats that are inherent to the way data is stored, delivered, accessed and used. Understanding and mitigating those risks is critical, and adopting an identity-defined approach to security can provide effective risk governance that keeps pace with digital transformation. This means that organizations can leverage digital transformation technologies and processes without introducing unnecessary enterprise risk. After all, in today’s business risk environment, digital transformation should not be the ultimate goal. The ultimate goal should be secure digital transformation.