What We Learned in 2018
How To Create Your Security, Compliance & Governance Roadmap in 2019
By Stuart Beattie, Product Marketing Director
What We Learned in 2018 & How To Create Your Security, Compliance & Governance Roadmap in 2019
As 2018 starts to get smaller in the rear vision mirror, we look at how organizations changed their approach to Identity Governance and Administration (IGA) last year in response to data breaches, insider GDPR, and a call for greater business efficiency and transparency.
The scope of IAM has matured and changed
Throughout 2018, we witnessed organizations scrambling to become GDPR-compliant by implementing effective identity and access management governance while simultaneously dealing with an unprecedented level of security breaches.
Such issues were made worse by an industry-wide skills shortage and a lack of best practice processes. Already under-resourced IT departments were tasked with finding ways of proving GDPR compliance across organization-wide systems and applications, in an efficient and timely manner.
Facing up to challenges in compliance and governance
With GPDR compliance coming into force in May, 2018 was a pivotal year for IAM as organizations identified many gaps in their current governance policies. Organizations were forced to implement additional procedures to ensure they are fully compliant, and able to prove such compliance to auditors. They now must prove that they are in control of who has access to what and give appropriate reasons for why they were granted access in the first place.
But it quickly became clear that despite the lapsed deadline, many organizations were still struggling to get a handle on their access management. Non-compliance was highlighted by the first GDPR fine in Germany of €20,000 when Knuddels.de, a German social networking site, leaked 808,000 email addresses and over 1.8 million usernames and passwords. This followed a €400,000 fine for Centro Hospitalar Barreiro Montijo, a Portuguese hospital, where authorities found that 689 non-clinical users were registered as physicians and could therefore access confidential patient data which they did not need to do their jobs.
User access management is continuous
Particularly in the Portuguese example, a key part of becoming compliant involves ensuring all active user accounts are assigned to employees or contractors that are still working for the organization, and that the levels of access they have been previously granted are still relevant. Increasingly, orphan accounts – those that have not been disabled or deleted when an employee or contractor leaves the company – are a significant compliance and security risk, potentially allowing ex-employees and outsiders to access or corrupt business-critical information. Insider attacks show that organizations must regularly compare all active accounts with HR, and current temporary worker records, and remove access for those that no longer work for them.
Best practice control is key
GDPR audits also revealed that once an organization is in control of their user accounts, best practice policies and procedures must be implemented to ensure that they stay in control. Organizations must ensure users are onboarded correctly, with the right access for the role and position they are employed to do. They must also ensure that any additional access rights granted to them during their career progression are appropriately tracked and managed, with all access rights revoked once they leave the organization. Additionally, segregation of duties policies should be implemented to prepare for potential access conflicts that might occur when additional access rights are granted. Access to multiple systems – seen in the $17 million fraud case of a Danish welfare worker – showed that inappropriate access rights can allow employees to commit fraud, and only best practice processes can avoid this.
Addressing skills shortages with automation
While we were already aware from the 2017 Cybersecurity Ventures study that there will be 3.5 million unfilled cybersecurity positions by 2021, many organizations continue to have difficulty hiring trained cybersecurity specialists.
As a result of this skills gap, more and more organizations are deploying automated IGA solutions to better focus the time of their few cybersecurity employees on specialist tasks that require human intervention, like defining and implementing access policies and setting up new role and policy definitions.
Automation is essential
Fortunately, many different types of IGA automation already exist, reducing the number of tasks being routed to the IT helpdesk. Some of this automation involves allowing the system to perform tasks automatically, whereas other tasks are automatically “outsourced” to others within the company, including:
- Automatic provisioning of applications when a new employee’s details are entered into the HR system
- Automatic deprovisioning of access when an employee leaves the company
- Self-service capabilities to allow users to request access to software which is then routed to managers and business system owners for approval rather than to the IT helpdesk
- Self-service password reset capabilities eliminating the need for IT intervention
Automation is only part of the answer
While automating some tasks or automatically routing approvals to others within the organization does help the workflow and load of core security teams, it does not completely solve the cybersecurity skills shortage problem. Over time, companies must deploy more and more best practices to further eliminate the need for human intervention, while simultaneously increasing the overall efficiency of the IT department and improving the level of service delivered to end users.
Third party threats
Earlier in the year, a small company working with many of the large automotive brands exposed 47,000 sensitive documents causing many companies to question how they work with third parties. Read more about our answer to this: How Secure are the Third Parties you Deal With?
While efficiency demands increasingly require organizations to grant third-parties access to their systems, to view information such as stock levels, delivery dates, sales forecast information, product plans, or customer data, such an instance highlighted the additional challenge this provides for organizations. Only with the right policies, procedures and processes can security and compliance still be maintained with such partnerships, and failure to do so can result in compliance fines, stolen intellectual property, company losses or even mean the end of business.
Where does that leave us in 2019?
Knowing where to start to address the issues we faced in 2018 can be a daunting task – even for an organization that has cybersecurity experience. But knowing where to focus your energies is critical when it comes to providing the best return on investment that ensures you and your organization are protected now, and in the future.
To help you kick-start the process, Omada has addressed many of these challenges by creating a best practice framework that gives organizations a roadmap for quickly and effectively putting standardized policies and procedures in place that manage the security and compliance of user identities. After 20 years of experience with IAG, we can help guide you forward with proven steps that will add value to your business.
Download a free copy of the 90-page IdentityPROCESS+ e-book and learn how you can implement industry best practices for identity and access governance in your organization.
Omada | January 2019