Focusing on Identity is the new way to win the game of Risk
When we look at the current trends in the Identity and Access Management practices of organizations, we see repeated mistakes made by users and administrators that inadvertently create vulnerabilities leading to data loss and breaches. More personal information data losses occurred In the first half of 2018 than in all of 2017. These “incidents” create a numbing effect to the population as a whole and are causing business stakeholders to focus risk management conversations to address the challenges of Identity Governance.
When you think about risk related to Identity, you have to first understand that the impact of that Identity depends on who you are asking. If you are asking the user whose Identity was compromised they may not understand what that risk actually means. They only know that they are now inconvenienced and may hold a grudge towards the entity that holds their account or personal data. This results in a negative corporate image or potential loss of business.
From the side of the enterprise that suffered the data loss it’s a completely different story. The technical folks want to know how the breach occurred, what data was actually released and how do they close the gaps. The technical folks are usually not looking at the risk associated with the Identity nor what that data loss means to the enterprise as a whole. This gap between the technical folks and the leadership will result in a continued lack of Identity visibility and Identity risk.
The risk aspect comes from the stakeholders in the business and the enterprise leadership. They don’t really want to know the technical aspects of how the incident occurred they just want to know “how bad is it?” What does it mean to a potential loss of reputation and ultimately the bottom line? The technical problems are assumed to be fixed. It is the business risk that is the main concern.
This is where the concept of Identity risk really matters!
If you have the ability to know what access a user has, how they use that access and most importantly how they gained that access you can begin to understand the risk the incident poses to the company. When we understand the entire picture of user access rights and apply governance to those users, we can more easily answer the ultimate question of what risk the incident poses to the company?
A program that includes only the joiner/mover/leaver aspect of IAM is only a small piece of the puzzle in understanding the risk. You need to be able to include data that can adapt to the enterprise in real time to actually know what the risk is for any particular user or the enterprise as a whole. The risk visibility needs to apply to not only when an approval takes place but also when a request is being made. The users need to be educated that when they are granted access to a resource that there is a certain level of inherent risk involved.
At Saviynt we treat each Identity as a piece to a puzzle to provide a complete view into your enterprise and in real time answer the question “What’s the Risk?”