5 Lessons from Gartner Security and Risk 2019

With the 2019 Gartner Security and Risk Management Summit slowly fading in the rear-view mirror, identity and access management professionals need to start looking toward the future. While no one has a crystal ball, the not-too-distant future seems to be focused on securing the cloud by securing identity. With a look to the cloud-enabled future, this year’s Gartner Security and Risk Management Summit tackled themes such as regulatory compliance, metrics, and Identity and Access Management. Pulling together these themes, however, five distinct lessons coalesced from across the variety of speakers and presentations. 

1. Regulatory Roadblocks

While IT professionals know logically that governments are increasing their legislative control over data privacy, the growth of regulatory demands will likely become a roadblock to digital transformation and cloud migration. Gartner analysts, Jay Heiser and Khushbu Pratap, confirmed these suspicions noting,  “By 2025 regulatory concerns will represent a greater inhibitor for public cloud use than security concerns.” 

In fact, while risk managers were attending the conference, the US federal government debated several potential options for national legislation. Meanwhile, New York state legislators brought a proposed privacy act to a committee. In Maine, new legislation that goes into effect on July 1, 2020 forces opt-in requirements before companies can use data. 

The United States is not the only harbinger of increased regulatory requirements. Sweden enacted a new law in April 2019, while India also enacted a new privacy law at the end of 2018. 

In short, more legislation will be creating many more problems. 

2. Maturity Means Merging

Organizations seeking to mature their privacy programs need to be more aware of the ways in which they handle data. Panelists at the Gartner Security and Risk Summit discussed the importance of merging existing technologies to secure data. 

Leaving identity and access siloed from one another creates compliance, privacy, and security gaps. Best practices for scaling operations while maturing the compliance program starts with a convergence of Identity Governance and Administration (IGA), Privileged Access Management (PAM), Access Management, and Authentication. Currently, many organizations silo these activities by focusing on technologies. To remain compliant as the organization migrates business-critical operations to the cloud, IT, security, and risk professionals need to work together to find solutions to all of these problems in a way that enables them to create holistic, risk-based compliance programs. 

Focusing on IGA, analysts noted that organizations need to move beyond automated provisioning as a “one-stop” solution to their identity lifecycle management problems. Organizations need to focus their IGA programs on a Governance First approach using risk-based decision making. As more regulatory compliance requirements focus on risk-based controls, organizations need to ensure that they are meeting those requirements. 

Adding identity analytics to these programs enhances their effectiveness. Analysts strongly supported the idea of using identity analytics to streamline IGA programs. Role-mining and analytics enable organizations to remove redundancy and create overarching holistic programs across on-premise, hybrid, and cloud ecosystems to ensure that users only obtain the right access to the right resources at the right time for the right reason. As companies create digital transformation strategies, analytics using fine-grained, detailed, attribute-based identity definitions provide the needed visibility into how users interact with data across their ecosystems.

3. Metrics Matter       

As part of creating an enhanced, analytics-enabled IGA program, organizations should be using metrics derived from their solutions. However, determining the right metrics is sometimes difficult. 

  • Metrics that help define success or failure of programs should: 
  • Have a clearly defined and defensible causal relationship to a business outcome
  • Address a specific, defined audience
  • Address business decision-making for the intended audience
  • Be understandable by a non-IT audience

The last two points matter most for IT, security and risk professionals. Often, the metrics that define data privacy and security control effectiveness are too technical for business leadership. For example, Privileged Access Management (PAM) data breach risks arise when a DevOps professional spins up new workloads. However, business leadership may be more receptive to a conversation focused on increased costs arising from unmonitored cloud resource usage than about data privacy because it speaks to their business outcomes.

IT, security, and risk professionals need to find metrics that help them, but they also need to find the right metrics for the c-suite. 

4. Inform to Influence

Metrics only provide value if they can influence business decision-making. Not only do organizations need to implement metrics, but those metrics need to be ones that inform decision-making appropriately. 

Similar to the PAM example above, IT, risk, and security professionals need to step away from their traditional role as data protectors and think about exactly how to use metrics obtain buy-in. Business metrics for technology inform business decisions related to business outcomes that depend on technology. 

In this case, organizations should adopt a “top-down” approach to defining metrics that incorporates stakeholders across the organization. Coordinating with stakeholders eases the process of identifying the most important business processes that use sensitive data. Then, working together, everyone can negotiate controls with business process owners to include all critical processes and technologies. 

The best way to secure an organization is to locate the metrics that inform the right audience so that IT, security, and risk professionals can influence decision-making appropriately. 

5. Analytics for Assurance

Analysts agree that digital maturity has reached a tipping point when it comes to IGA. Underlying all of the conversations around metrics and compliance requirements is the merging of four key functions:

  • Administration
  • Authorization
  • Analytics
  • Assurance

The longtime manual functions of administration and authorization may be shifting towards robotic process automation (RPA), but they also need to incorporate analytics and documentation so that organizations can prove assurance. 

To secure data while also meeting compliance requirements, organizations need to start incorporating tools that help them establish a Governance First approach to identity lifecycle management. Digital transformation and cloud-based infrastructure models are changing the way users interact with data. To truly adopt a cohesive, holistic IGA program, companies need to create risk-based approaches enhanced by analytics. 

Why Saviynt? Intelligent Analytics for Assured Compliance-as-a-Service

Saviynt’s intelligent analytics enable organizations to create and monitor metrics that prove governance over their IGA programs. 

The Identity Governance Access (IGA) module allows organizations to compare user access behavior to peers to accelerate cloud migration. By comparing a user’s behavior to their peers, the enterprise has insight into whether the user access request is similar to others or different, thus lowering the risk of elevated access, maintaining “least privilege necessary” policies, and reducing Segregation of Duty (SOD) violations.

Saviynt’s integration of Cloud PAM with IGA and advanced analytics changes how organizations secure their cloud and comply with the Shared Responsibility Model. Our real-time monitoring and enforcement of security policies, including segregation of duties, enable organizations to continuously monitor, remediate, and document their compliance activities. 

Our role-based lifecycle management extends beyond traditional RBAC/ABAC to provide just-in-time provisioning of fine-grained entitlements that protect the enterprise from privilege abuse, ultimately protecting from cyber-attacks. 

With Saviynt, organizations can secure their IGA while streamlining business operations to meet new digital transformation needs. 

For more information, contact us for a demo today. 

Adam Barngrover

About author

Adam Barngrover is Principal Solution Strategist at Saviynt, with responsibility over Cloud Access Governance and Intelligence solutions. A graduate of the University of Oklahoma, with more than 14 years of experience in the Identity & Access Management space, Adam has helped organizations develop their Identity and Security strategy that revolved around Governance and Compliance frameworks. Prior to joining Saviynt, he was an IAM/IGA consultant working with Fortune 500 companies on the development and implementation of their IAM/IGA strategies

Leave a Reply

Your email address will not be published. Required fields are marked *