Identity and Access Governance

From protecting the perimeter to governing digital identities

Do you know who has access to what information, and when, how and whether they are authorised to do so? Do you know what your ‘crown jewels’ are and who should have access to these? Are you comfortable that only those who should have access to sensitive information do? If not, then there is a good reason to consider managing and governing your digital identities. Lack of Identity and Access Governance (IAG) not only increases the risk of unauthorised disclosure, misuse and/or loss of your organisation’s sensitive information, but may result in loss of productivity, reputational and financial damage and potential non-compliance with laws and regulations.

Why you should be worried

As the world becomes increasingly digitally driven, the barriers between the traditional workplace and the home are being eroded. As a result your organisation’s information is no longer housed on the business premises but is in the hands of your employees, third parties and customers who can access your information anytime, anywhere through a myriad of user devices and applications. The question is, how do organisations ensure that the right people have access to the left information at the right time?

Consequently, the approach to enterprise security and governance is shifting from perimeter-centric to identity-centric. Traditional methods of ensuring data confidentiality, integrity, availability and non-repudiation through legacy systems are fast approaching a state of extinction.

With an ever-changing technological landscape characterised by disruptive technologies such as cloud computing and mobile devices coupled with internal threats, securing the perimeter alone leaves your organisation with a half-baked solution. The physical perimeter is broken and insider activity continues to be a threat. The only possible solution is for organisations to manage and govern digital identities. The diagram to the right shows how the perimeter has been perforated by insider threats and disruptive technologies.

Key threats posed to data-fluid organisations include the following:

Perimeter solutions fail to detect the insider threat: intentionally or unintentionally, insiders pose a threat to the organisation and cannot be fully prevented from so doing through traditional perimeter solutions. The 2017 US State of Cybercrime Survey research revealed that cyber intruders often go undetected for an average of 92 days. The most logical reason for this is surely that the identities of authorised users are actually used – and we all know how much damage just one minute of unauthorised access can do.
Weak authentication: weak authentication mechanisms make it easy for malicious users to obtain or brute force user credentials.
Excessive rights (privilege creep): lack of periodic review (attestation) of user rights may leave users with excessive rights, which can be abused to the detriment of the organisation
Accounts left without owners (orphaned accounts): it is cumbersome if not difficult to timeously identify, investigate and revoke orphaned accounts, which can easily be exploited by malicious attackers.
We do not have a single holistic view of the users: multiple identity stores for various applications and systems make it difficult to have a 360-degree or seamless view of user activities, thus posing great danger to the organisation.
We do not guard our privileged accounts: merely protecting your crown jewels using identification and authentication alone is suicide. If malicious attackers gain access to these accounts they can go on a shopping spree! It is important that these accounts are monitored, isolated from other accounts and jealously guarded – hence the need for privileged account management solutions as part of IAG.
Technology is evolving: disruptive technologies and the increasing need to communicate with external parties provide more touch points into our environment that need to be managed and protected.

34% of respondents to PwC, CIO and CSO’s Global State of Information Security Survey 2018 said they are seriously planning to assess Internet of Things (IoT) risks across their environments. Mobile device exploitation, phishing and employees were rated the top three areas respectively where cyber incidents took place, while employees were the major likely source of incidents. Research firm Gartner places privileged account management (a part of Identity and Access Governance) as 2018’s top cybersecurity priority, given that over 80% of all breaches are a result of weak or stolen privileged credentials. According to CA Technologies’ 2018 Insider Threat Report, 90% of organisations feel vulnerable to insider threats and Verizon’s 2017 Data Breach Investigations Report reveals that an alarming 81% (up from 55%) of data breaches are as a result of stolen and weak credentials.

In a nutshell, IAG involves the oversight measures and activities required to know who (subjects) has access to what (resources), when (times), where (location), how (methods) and whether they are authorised to do so. Identity and access activities such as access provisioning and revocation and changes thereto, a process commonly known as Joiner-Mover-Leaver (JML), often lack a governance layer that helps minimise risk, optimise processes and maximise benefits realisation. IAG involves looking at identity and access activities from a people, processes and technology perspective.

There are various IAG tools on the market, with more mature IAG tools having grown analytical capabilities and easily integrating with other applications such as Security Incident and Events Management (SIEM) tools to provide timely incident reporting.

Improved security through centralised policy enforcement, monitoring and event triggering, as well as the ability to ensure that roles are properly defined and that people have the right access, at the right time and place based on their business needs. IAG also involves access attestation, which is usually automated in order to reduce the number of instances in which users gain excessive privileges (privilege creep).
Improved user experience due to automated services such as password self-service and single sign-on and sign-off.
Improved efficiency in workflow such as automated provisioning, change management and revocation. This saves productivity time usually lost in waiting for what would be a manual process of requesting access rights.
Better compliance with data protection legislation such as the General Data Protection Regulation (GDPR) in the EU and Protection of Personal Information Act (for South Africa), as well as internal policies.
Cost savings in terms of number of manual password request calls and number of attestations – not to mention legal defence costs and the consequences of data breaches.

Solution – Organisations need to embark on a well-structured identity and access governance programme before even considering technology solutions. This helps ensure that all their efforts are properly aligned to strategy and do not unnecessarily complicate the problem. The author has identified six common pitfalls associated with organisations embarking on developing an IAG programme.