Transforming your identity program: Is access management your transformation bottleneck?

8 authentication basics password identity protected security
Getty Images

When COVID-19 first hit in early 2020, some organisations started to deliver their transformation projects with a new level of urgency and a revised scope as they deployed solutions to deal with the worst pandemic in 100 years.

Australian cities spent the best part of 2021 locked down, which placed more pressure on technology teams to create and deliver the right digital services for customers and citizens everywhere.

A crucial part of these transformations is moving to multi-cloud environments that can reduce the risk of cost blowouts on infrastructure — and enable internal teams to deliver services quickly.

But for some, this creates challenges around identity and privileged access management. As organisations deploy more cloud services, a lack of identity governance and compliance visibility can create security issues.

CSO Australia and Saviynt, a provider of intelligence identity management solutions, hosted Australian chief information security officers at a recent roundtable luncheon to discuss how legacy IAM infrastructure can hold back an organisation’s digital transformation activities.

Following the discussion, Saviynt’s regional vice president, Australia & New Zealand, John Vine Hall, provides some advice on the impact of legacy systems and how CISOs can get the most out of more modern IAM offerings.

Vine Hall says that identity is the new perimeter. Why? Because in most modern organisations critical data does not live in infrastructure they control with traditional security network protection solutions — such as firewalls — that aim to prevent outsiders from penetrating systems.

“Data sits in public clouds and anyone with passwords and credentials can gain access. If your organisation doesn’t have the right insights into which identities have access to what, and when, then the rest of your security approach doesn’t matter,” he says.

Legacy risks

The issue with many legacy access management and identity governance solutions is that they are not holistic, says Vine Hall.

“Due to their deployment complexity, traditional solutions simply can’t keep up with the level of change in most organisations today. As a result, they typically only cover a portion of an organisation’s key systems,” he says.

In addition, he says, they typically only cover a portion of an organisation’s key systems and are often designed for ‘on-premise era’ – not the multi-cloud era we live in today. Legacy solutions also don’t provide context to support more intelligent security decisions, he says.

“When I ask a manager if somebody still has access to something, the answer is almost always ‘yes.’ And that makes sense because managers want to give team members access to the tools and data that they need to do their job,” he says.

“If I ask that same manager if an employee should have access to very sensitive information that nobody else in a similar role has accessed for some time’, then the answer is usually ‘no.’”

Vine Hall says that it’s all about context; legacy solutions provide a ‘rubber stamp’ outcome. Modern identity governance and administration is about providing the right context to support making the right access decisions to reduce the chances of a security incident, he says.

Finding the right balance

Maintaining a good balance between providing a good user experience – which is critical for adoption – and making sure that identities across the business are as properly secured, is an ongoing challenge for CISOs and their teams.

Vine Hall advises CISOs looking for that balance to ask themselves a few sensible questions that are aligned to the business, and not necessarily IT.

“First, that means making sure the systems are engaged and use the language of the ‘end user.’ Another issue, says Vine Hall, is providing the right context to deliver a frictionless user experience without compromising security.

“When asking a manager to approve, or even request that a new user be added and provided access, we need to make it clear what the risks are and again, we need to use language that the end user understands. Modern identity systems can analyse systems to understand risk, and then ‘bring that to the surface’ to support access decisions,” he says.

Finally, enterprises need a system that can keep up with the business as it grows and brings new technology into the fold. Onboarding new applications and identities needs to happen in days not weeks or months, he says.

“Users should have one place to go when they are onboarding, not different systems. And your identity solutions must be flexible and work seamlessly with other security tools.

It also needs to support the various types of human identities in an organisation; the experience and access required for a contractor will be vastly different to a full-time employee or third-party service provider. The solution needs to be flexible enough to meet these different use cases,” he says.

Achieving a ‘zero trust’ state

Zero trust, a security concept that eliminates trust and requires an organisation to always verify anything and everything trying to connect to its systems before granting access, is considered a good way to improve an enterprise’s security posture and stop breaches.

Vine Hall says zero trust is all about making sure that a ‘least privilege approach’ is taken to protect data and IT systems from takeover.

“You can’t achieve zero trust without answering three key questions: ‘who should have access?’, ‘what type of access should they have?’, and ‘for how long?’ Without a solution to automate this process and make intelligent decisions in real time, you simply can’t enforce zero trust.

“Transforming your identity program is the first foundational step in the zero trust journey.”

Copyright © 2021 IDG Communications, Inc.