5 Security and Risk Management Challenges: Converge 2019 Preview

Digital transformation is shifting the perimeter to identity, increasing the value of robust Identity Governance and Administration (IGA) programs. To protect data security and privacy, organizations need to develop cyber practices and identify information security risks and strengthen their IGA programs. At Converge 2019, Saviynt and our partners will be tackling some of our customers’ biggest security and risk management challenges so that we can make 2020 a more secure year.

How Does Identity Governance and Administration (IGA) Strengthen Vendor Risk Management Programs?

Vendor risk management (VRM) is always a hot risk and security topic. As your organization scales, you may be looking to add external resources to enable business operations. Whether you’re hiring contractors or incorporating new technologies, you increase your vendor risk.

Each new identity – person or non-person – also increases the organization’s access and cybersecurity risks. As part of your VRM monitoring program, you need to limit the access you grant vendors.

To manage human vendors, you need to:

  • Ensure “least privilege” access to systems, networks, and data
  • Create time-bound access that ends when the contractor completes the work
  • Provision additional access based on new needs
  • Include the ability to re-instate access after the account has been dormant

To manage non-human vendor risk, you need to:

  • Create these as identities
  • Monitor their access continuously
  • Establish time-bound access rules
  • Monitor for new risky workloads, containers, servers, serverless functions

However, managing these identities and their inherent risks often becomes unwieldy as organizations struggle with multiple governance tools. For organizations that have already consolidated their identity management programs into a single dashboard, threat vectors continue to evolve, leading organizations in a continuous state of risk.

How to Manage Bots As Part of Holistic IGA Program

Your digital transformation strategies often require you to bridge legacy systems and modernized IT infrastructures. Robotic Process Automation (RPA) enables you to simulate human interactions within your legacy IT infrastructure to automate a variety of tasks so that you can streamline business operations. In fact, Deloitte’s 2018 Global RPA Survey predicts that RPA adoption with be near-universal within the next five years.

RPAs cross-functional and cross-application rules-based processing enables organizations to streamline repetitive tasks such as moving files and folders, copying/pasting data, reading and writing to databases, and extracting structured data from documents. As part of these functionalities, RPAs often access sensitive information. To maintain data security and privacy, you need to incorporate RPA as part of your risk assessment and risk mitigation compliance initiatives. 

Unfortunately, despite the need for RPA as part of digital transformation strategies, organizations continue to face significant security risks, including:

  • Lack of audit documentation
  • Inability to manage user access privileges/segregation of duties risk
  • Inability to protect credential during run-time
  • Lack of centralized robotic identity and access management processes

Weighing the business need for RPA against the risks inherent in its use often means that organizations find it difficult to create secure digital transformation strategies as they move from legacy on-premises infrastructures to hybrid or cloud-based ecosystems. Meanwhile, many solutions fail to appropriately secure RPA access and monitor for potential compliance violations.

Why Organizations Need to Continuously Monitor Service Account Access

Expanding your cloud-based infrastructure means incorporating more Software-as-a-Service (SaaS) applications to your organization, which are often updated using service accounts. Additionally, whether you use an Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS) providers, those cloud services also interact with your ecosystem using service accounts.

Service accounts log onto systems to perform security updates, makes changes to operating systems, or update configurations. Often, service accounts are members of Administrator groups and have privileged access to networks, systems, and software. As part of your risk management program, you need to find a way to mitigate the threats arising from service accounts.

Organizations often open themselves up to new security risks arising from service accounts such as:

  • Misconfigured settings that provide excess privilege
  • Copying old privileges to new service accounts that provide excess access
  • Assigning service accounts to pre-existing Administrator and Domain Administrator groups
  • Redundant user rights
  • Retaining default passwords that malicious actors can easily exploit
  • Lack of service account monitoring
  • Lack of expiration dates for passwords
  • Lack of auditability for service accounts

Many organizations fail to maintain “least privilege” over service account access necessary for complying with the organization’s privacy policy. Since many organizations lack appropriate governance over these accounts, malicious actors target them as a way to gain privileged access to sensitive information.

Why Enterprises Find Managing Serverless Functions Difficult

As you migrate critical business operations to the cloud, your organization likely incorporates serverless architectures. Serverless computing removes the burdens associated with on-premises software and hardware, enabling you to more rapidly scale your infrastructure.

However, the ease and speed of these functions lead to new cybersecurity risks such as:

  • Misconfigured deployments
  • Excess permissions and roles
  • Lack of monitoring and documentation
  • Inability to secure application secrets storage
  • Orphaned resources

Similar to the risks associated with service accounts, many organizations find monitoring serverless functions difficult. An organization’s IT infrastructure often contains more serverless identities than human identities, thus monitoring for new serverless functions or compromised privileged access arising from these functions becomes overwhelming. The lack of governance ultimately increases compliance risk, particularly segregation of duties (SOD) compliance violations.

How To Continuously Monitor Infrastructure Workloads For Better Security

Secure cloud infrastructures also require focusing on creating a secure DevOps strategy that protects cloud workloads as part of your overarching risk management strategy. The Shared Responsibility Model that governs IaaS and PaaS strategies requires organizations to secure these web servers, containers, and nodes. However, your developers may be reusing code and templates, not realizing that the re-used configurations increase the organization’s cybersecurity risks. Gartner recognizes these struggles and suggests that “security and risk management leaders should evaluate and deploy offerings specifically designed for cloud workload protection.”

Since legacy solutions lack the capability to manage workload security across a hybrid, cloud-first, or cloud-only infrastructure, organizations open themselves up to new risks such as:

  • Misconfigurations
  • Inability to manage identity, credential, access, and keys
  • Lack of API governance
  • Lack of visibility into cloud usage
  • Excess access privileges

The cloud’s volume and velocity means that DevOps continuously spins up new workloads or containers. Organizations often lack the ability to continuously monitor their hybrid and cloud infrastructures in real-time from a single pane of glass.  

Why Converge 2019? Identity Meets Security

Saviynt’s annual Converge Conference, in association with our partners, focuses on the most important security and risk management challenges facing organizations. From organizations seeking to modernize their IT infrastructures to current customers who want to expand their Saviynt business value, Converge 2019 will provide insightful breakout sessions addressing the most pressing Identity Governance and Administration concerns facing your organization.

As cloud strategies increasingly rapidly establish Identity as the new perimeter, the convergence of people, processes, and technology becomes a security and risk management imperative. At Converge ‘19, attendees will experience our new immersive environment while engaging with peers and sponsors in a new, dynamic way.

To learn more about how you can secure your data and better manage your risk, register today.

Diana Volere

About author

Diana is a strategist, architect and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world, and has an emphasis on healthcare and financial verticals. In her role as Saviynt's Chief Evangelist she is a technical advisor for and strategist with partners and customers to derive business value from technical capabilities. Her past twenty years have been spent in product and services organizations in the IAM space.

Leave a Reply

Your email address will not be published. Required fields are marked *