I had the opportunity to join ISACA to talk about all things identity governance – specifically where traditional controls are falling short for modern businesses and how to bridge the gap between compliance measures and security outcomes.
Below is a recap of the top takeaways from my conversation with the wonderful Lisa Cook. To hear it in full, check out the recording here.
1. Traditional governance controls are ill suited for a cloud-first world
Companies are adopting SaaS and cloud-based infrastructure applications at an unprecedented velocity. If you take the number of employees and contractors in your workforce and multiply it by the number of applications across your systems, your attack surface area increases exponentially. Gartner forecasts that cloud technologies and software will take up to two-thirds of enterprise IT spending by 2025. But make no mistake - this problem isn’t relegated to large enterprises – we’re seeing medium-sized companies struggle with this problem too.
On the other hand, you have traditional governance controls, which are designed to curtail inappropriate financial behaviors or demonstrate a high level of information security. These controls are rooted in security but are falling short of delivering tangible security outcomes: compliant companies are still getting breached. Not to mention, in a world where there’s a proliferation of SaaS applications and privileged access, these controls require a lot of calories to execute in any regular cadence.
So the question becomes: how do we take these activities, which are mandated by compliance, and evolve them such that they strengthen security in practice?
2. Bridging the gap between compliance and security with automation
Forward looking security teams are recognizing that many governance-centric controls can be effective tools in reducing risk and are looking for ways to automate these controls as much as possible. Let’s take user access reviews, for example - they can be effective at reducing and removing unused or inappropriate access and orphaned accounts. But if you’re just following the letter of the law from a compliance perspective, you might only be running these reviews once a quarter, if that. This means companies end up with users, identities, and over permissioned accounts in their systems that an attacker could compromise.
Reviewing and auditing privileged access once a year is – candidly – just not fast or frequent enough to mitigate risk. But for many companies, the effort required to manage these kinds of controls simply isn’t sustainable. I think we’ll see that there will be more of an emphasis on user friendly, automated workflows to up-level traditional governance controls like user access reviews, and a push to move user deprovisioning and access grants to just in time or time bound. Only then can companies make real headway toward reducing identity security risk.
3. Time to value is paramount
Modern companies want automation, and they are looking for quick implementation, extensibility, and time to value. And they’re beginning to expect it from their security and GRC tooling. When evaluating IGA solutions, you’re looking at: how quickly can it be rolled out? How well can it integrate with your existing technology stack? These factors are what will drive your ROI calculations.
The quicker you’re able to deploy a solution, the sooner you can demonstrate value, from the overhead savings to being able to point to the reduction of admin users and inappropriate privileges as a signal of an enhanced security posture. The right solution resolves the tradeoff between time and effort and risk reduction.
I’m excited about how companies are starting to shift the way that they are thinking about identity governance and compliance. There’s a bright new world of better technical approaches, better tooling, and better security ahead. It’ll require us to focus on the right automation and controls to complete the puzzle - we just have to put in the work.