IT security practitioners generally agree that Identity and Access Governance over the past decade has grown organically and piecemeal. Data breaches and regulatory compliance pressures (e.g. SOX, HIPAA) are forcing executive management and company boards to take notice of these issues that cause reputational and financial damage, ultimately impacting an organization’s bottom line. Historically, IT security was always seen as an overhead and a business inhibitor leading the IT security domain to be relegated to a few security practitioners in a corner. And to most business executives, it meant firewalls and antivirus at best.
Business leadership has a case here though because IT and IT security leadership was seen reactive and not proactive. A lot has been written about how IT can be a strategic differentiator and enabler, for any business, if business leadership would understand and appreciate its impact. If corporate IT was not seen as strategic, IT security was even worse positioned. A key indicator of how IT security has been treated by business leaders is obvious from CISOs typical reporting to CFOs instead of CIOs… being peers to CIOs, unheard of! Why?, because it was seen purely as cost overhead that needed to be minimized, best they can, and secure IT assets enough to not inhibit business.
And then the shock therapy arrived. With Cloud, Social, Big Data, Smart Devices, and globalization on steroids, IT security dynamics has changed overnight. Now it’s IT security’s turn to act as a market enabler and provide a strategic business advantage. Playing catch-up on IT security is long over. Age old management adage, “You can’t manage what you can’t measure.” This cannot be truer when it comes to IT security… you can’t protect what you do not know exists in your environment, good and bad, without having any visibility. It’s high time business executives re-evaluate where their IT Security leaders are at on the totem pole while assessing: do they get enough board time, have strategic plan to secure IT assets, and have the adequate budget to do so.
A QUICK IGA PRIMER
For executives with not so in-depth exposure to IT security, a quick primer on IGA. The acronym stands for Identity Governance and Administration. Identity is “Digital Identity” of an entity within an organization, whether human or IT asset (PC, laptops, smart devices etc.) – a “digital handle” by which one authenticates and manages that entity. Governance and Administration is the overarching process of managing an individual identities’ role in an organization and corresponding “appropriate” access, both logical and physical, to a variety of IT and non-IT assets that include routine validation and certification processes to ensure access is valid and on a need to know basis only.
WHERE TO PLACE IDENTITY IN SECURITY ECO-SYSTEM?
Given the above discourse, one can quickly relate to the criticality of Identity for an organization and the securing of that Identity within an organization. As a practitioner in IT security and related domains for over two decades, I think of Identity as nothing short of “keystone” of any IT Security bridge. If your “keystone” is weak, your bridge will collapse. In IT security terms, I can have best of defenses with firewalls, antivirus, SIEM, DLP, etc. However, nothing matters if one gains access to any Identity in an organization by legit or illegitimate means with intent of causing harm.
For any organization, and leadership, serious about IT security and focused on protecting brand and market share, leave alone regulatory fines and breach litigation losses, one has to get IGA equation ironed out. By addressing Identity Governance challenges, leadership will dramatically improve organization’s security posture and make existing IT security assets more productive – and doing so cost effectively.
In a series of upcoming write-ups that I plan to write, God willing, I will address why IGA 2.0 is important, what differentiates it from prior generation IDM and/or IAM solution sets, what are the key design and architecture principles to note, and why do they matter. I look forward to your feedback, your experiences, opportunity to compare notes, as well as pointers if any. You can reach me at firstname.lastname@example.org.
Thanks for reading and Go Secure!