Today, organizations serve a growing and diverse user population. The proliferation of mobile and connected devices has led to an explosion in the number of accounts, access points and entitlements organizations must manage. Amidst a global crisis, this has been exacerbated by employees working from home on a number of different devices and needing access to critical applications and sensitive information to do their jobs. In response, organizations enabled remote workforces in record time to ensure business continuity. From distributing new authenticators to rolling out new collaboration tools like Microsoft Teams and Zoom, businesses rushed to support the quick pivot to a remote workplace.
Now is the Time to Talk Governance
Often with haste, there is a short-term view to meet the immediate need with certain risks and security concerns filed under “worry about it later.” For organizations that have successfully achieved some state of business continuity, it’s now time to focus on understanding what exposure resulted from the emergency steps taken. What access was granted, to whom, for what purpose and for how long?
In most cases, organizations have found a rhythm working remotely but identity management leaders may be struggling to gain full visibility across the surge of devices and applications. It has created the challenge of distinguishing legitimate devices and users from malicious ones. Identity governance and access assurance are critical given the increased threat surface and additional vectors for cyber criminals to exploit in the new work from home environments.
The 2020 KuppingerCole Identity Governance & Administration (IGA) Leadership Compass notes the IGA market is continuing to evolve as security leaders look to gain visibility across their organizations and the islands of identity multiplying in blended cloud and on-premises environments. A solution that can provide simple and automated access requests, or self-service password reset can make the transition to remote work less stressful, while empowering employee productivity. When remote teams have a user-friendly solution to request access to apps and resources it also alleviates requests coming into the help desks, streamlining processes and simultaneously cutting IT costs. As employees join organizations, transition roles and teams to fill gaps, or exit, it’s more important than ever to prepare for the “Joiners-Movers-Leavers” to maintain a continuous state of compliance and enforce user access policy. Temporary rules and policies can be instituted to ease the burden, monitor and remediate exceptions and violations. Additionally, automated provisioning and deprovisioning based on those temporary rules, roles or attributes can eliminate manual efforts, reducing risk to the business.
Change is Certain and Constant in the New Normal
With the majority of employees now working from home, the re-certification of access rights is more critical than ever. Re-certification which determines the amount of access and entitlement data that needs to be managed far outpaces what an identity team can handle. Organizations need a solution that: provides continuous compliance, helps manage and provision user access and ensures compliance with regulatory and corporate mandates. By leveraging advanced analytics and automating common tasks, identity teams can reduce unnecessary access to systems and applications as well as the administrative burden. If you’ve rolled out new devices, applications and other tools to get your remote workforce up and running, here are four priority areas of governance to focus on:
- Enable risk-aware, context-driven governance by integrating risk management and access management in identity governance and lifecycle processes – instead of managing them as separate issues.
- Surface meaningful information for decisions by organizing activities by risk, priority and context, which can help reduce certification fatigue for business managers.
- Discover outliers and inappropriate access by using a risk-based approach to quickly identify outlying access requests, flag them and prioritize them for remediation.
- Automate processes so that in addition to providing secure access, you can fulfill it efficiently and effectively.
Governance Makes Things Easier, Not Harder
Having the right business-friendly solution in place along with sound policies, workflows, audit capabilities, and a change management framework will help ensure your organization can apply the proper focus on access risk. A solution that can help you focus on understanding what may have resulted from business continuity actions and emergency steps taken at the onset of the crisis will provide necessary insight and make identifying identity and access risk easier, not harder.
Security, risk and IT teams must find ways to secure access and ensure compliance while supporting the speed of business. Identity governance needs to provide visibility combined with risk analytics to prioritize actions and share identity insights across the security and risk ecosystem. Identity can no longer be a siloed IT control -- it must be integrated as a security and risk control.
If your organization is looking to address governance and access management risks of a newly remote workforce, check out RSA® Identity Governance and Lifecycle. Please contact us to discuss how RSA can help you.
Author: Jerry Aubel
Category: RSA Point of View, RSA Identity Governance and Lifecycle, Business Continuity, Disruption, Governance, IAM, IGA, Remote Access, Blog Post, Securing the Digital World