They say insanity is doing the same thing, the same way, over and over again—and expecting a different result. This sounds a lot like what’s happening in identity governance and administration today. For years, identity teams have taken a siloed, binary approach in which identity governance, day-to-day access management, threat detection and risk management are separate activities that rarely, if ever, intersect. And many organizations continue to do exactly that, even though the result has become predictably disappointing. Fortunately, there’s a more effective way to approach identity governance, by making it part of an integrated, holistic identity strategy. In this approach, identity governance and access control inform each other—and identity and access management, threat detection, and overall governance, risk and compliance (GRC) systems all work together in the interest of improving security. Let’s look at what it means to move toward an integrated approach and how doing so can benefit your organization.
Why Do You Need a More Comprehensive Approach?
At a time when the cloud, mobility and a growing remote workforce are expanding the attack surface, using a siloed approach to identity puts an organization at risk. The siloed approach locks organizations into multiple point solutions that narrowly address individual issues, making it difficult—if not impossible—to pivot and adapt rapidly as threats evolve and regulatory pressure intensifies. This is why it’s time to take steps to improve security by shifting to a more cohesive identity strategy.
Three Ways to Transform Your Identity Strategy
Where do you start? Transforming identity strategy begins with bringing three aspects of risk management to bear on the effort: identity insights, threat intelligence and business context. Applied together, they break down the silos that get in the way of effective identity governance today.
- Identity insights provide context to understand who the user is—an employee? a contractor? (These days, it could even be an IoT device.) Moreover, they show what a user can access and why.
- Threat intelligence from threat detection systems reveals how access is being used and alerts identity managers if that usage constitutes a cyber threat.
- Business context is information—including information from GRC systems—that’s needed to understand whether a user’s access poses a business risk.
Further context around identity risks and policy violations is also important in transforming your identity strategy. The ultimate goal is to improve decision-making throughout the identity lifecycle.
Don’t Let This Happen to You
One note of caution: While you want to stop relying on old ways of thinking about identity management, you also need to be cautious and careful about how you proceed. Of course, you need to be open to innovation, and you want to keep your eye on new technologies. But that doesn’t mean being swayed by every new buzzword that comes along. Blockchain is a cool idea, for example, and it may prove to have staying power as a tool for transforming identity strategy—but your focus is best kept on basic steps you can take now to connect access control, threat detection, and identity governance and administration capabilities. That’s how you build a better-integrated identity strategy: one well-informed step at a time.
# # #
Learn more about the steps RSA is taking to ensure that its own identity governance solution works as part of an integrated identity strategy. Sign up for the July 31 webinar “What’s Next for RSA Identity Governance and Lifecycle: Product & Solutions Roadmap Update.”
Author: Tim Norris
Category: RSA Fundamentals, Blog Post
Keywords: Access Management, Identity & Access Management, Identity Management, Identity Governance and Administration, RSA Identity Governance and Lifecycle, RSA SecurID