Identity First Series: Helping you structure your approach to identity security
Three Identity Governance Questions You Need to Ask
Identity governance comprises two elements. The digital identity of an employee, and the process that manages it. With the rise of cloud services and remote working, identity governance and administration (IGA) is more important than ever before.
Here we will cover the basics of identity governance and answer the most important questions you should be asking yourself on the topic. Does your business have the right approach? That is, one that minimises risk, saves cost and increases organisational efficiency. Is IGA at the centre of your Identity and Access Management strategy? If you haven’t reviewed your IGA, then now is the time to take action. Put simply, check that your identities match your users.
What is Identity Governance and Administration?
Identity governance is the policies and processes you have in place to control your users’ identities. It is about how accounts and permissions are granted, managed, and revoked. The term refers to not only the management of these accounts but also the security measures and practices surrounding them.
Ensuring accounts have different levels of access depending on job role is a first line of identity security defence.
Ensuring accounts have different levels of access depending on that person’s job role within the company. This is roles-based access management (RBAC). Governance ensures the access to the appropriate resources is assigned to each role.
Then there is privilege access management (PAM). A member of the accounting team needs access to financial systems to view financial information on the company. A member of IT needs access to the same system to manage and change it. Both have access, but the level of access is appropriate for their role, and no higher. By using RBAC and PAM with identity governance, you can always make sure that the right people are accessing the right things at the right level.
Why Identity Security Governance Matters
Most businesses have at least some degree of identity security governance. Those that don’t, or fail to prioritise it, are taking a big risk. you could argue that the level of the risk is the same regardless of whether your approach to governance is casual, or non-existent.
Ask yourself the following questions to assess the strength of your identity governance.
Are you creating security risks?
The majority of security risks posed by poor identity security governance come from access being revoked too late. This generally happens when a staff member moves to a new role, or leaves the business, without having their account updated or removed.
If this happens, the ex-employee can still access critical data, to the detriment and danger of your business. If this happens frequently, or goes unnoticed for a long time, the risk that one of your former employees could do catastrophic damage to the company increases.
When did you last audit your identities to check they match your expectations?
Are you wasting money on software?
With the advent of subscription model software licensing, knowing how many user licences you need at any one time is key. It allows businesses to stay compliant and keep costs down.
For example, let’s say you have 100 employees. You pay for 100 software licences so that your team can do their job. Over the course of a year, though, ten employees leave and another ten join on. So you buy 10 more software licenses for the new staff members.
When you get your invoice, you realize that you’re now paying for 110 licenses even though you only have 100 employees. This is a small scale example, but the risk of spending needless thousands is very real.
Are you certain you’re not paying for more licences than you need?
How do you know who’s who?
Finally and most crucially, do you know who’s who when you examine your workplace accounts?
Part of effective identity security governance is catching potential problems before they develop. Having a cast iron process for controlling access, reusing software licences and revoking privileges will ensure that you are always on top of your employees’ digital identities.
Do you have protections in place to spot problems before they arise?
The best way to establish identity security governance
Ask yourself these three questions and you should have a good idea of whether you need stronger identity security governance policies. There are a multitude of products in the marketplace to help you keep track of your identities, but IGA starts with your processes and is a business issue first, and a technology issue second. By assessing your joiners, movers and leavers JML processes and clearly defining policies, you can start applying technology to the real problem in hand.
Read about the big identity issues in 2021 here
Talk to our experts who can perform a drains-up audit on your identity governance system. We can help raise your security while cutting costs. Reach out to the Innovate IT team for more information.