By MARIUS AGENBAG, Managing Director
When it comes to the critical matter of the security risks facing your business, the only thing worse than being conscious of the numerous risks that exist is not having any idea whatsoever. When it comes to matters of identity governance, access governance and data governance in particular, the uncertainty of not knowing what risks exist is far worse than being aware of them, and thus being able to mitigate them.
Mitigating the security risks your business faces needs to be built on a clear understanding of each of these three aspects of information security.
Identity governance can be defined as being about managing the electronic lifecycle of an individual within an organisation. Following on from this, access governance is about managing the access – both physically and logical – that such individual identities have within the organisation. This could encompass everything from physical access to the building through to the use of various applications and systems. Finally, data governance is about classifying business information and then having a process in place to manage both the data and the individual’s access to it.
Once these definitions are understood, the organisation will need to ask a number of hard questions about the business environment, as well as its people, processes and systems. Moreover, it is vital to find ways to answer these questions, in order to begin minimising the risks the business faces. These questions include:
Only once these questions can be answered completely will the true scope of a company’s security and governance risks come to light. Perhaps the most troubling aspect is that the usual answer to the majority of these questions is: ‘I don’t know’.
What is therefore required is for the relevant tools to be put in place to help provide the necessary answers. These tools, in turn, need to be implemented upon a foundation that is based on effective identity management. After all, successful security is ultimately built on the ability of an organisation to tie a specific name to a physical identity, especially when it comes to the issues of access management.
Thus, it can safely be stated that identity governance is the platform upon which the other crucial aspects of governance is built, although successfully minimising the risks an organisation faces requires a combined solution; one that ensures that all three aspects of governance are dealt with effectively.
The good news is that the technologies exist that can help to enable effective governance. Moreover, these technologies can be combined with effective methodologies, such as advisory auditors’ best practices, in order to deliver a security audit in a manner that is not only fast and effective, but one that is also easily repeatable. This, in turn, makes the process simpler, faster and much more cost effective.
Crucially, because it is technology-based, it is also able to check the company’s entire landscape – where auditors may only check a sample – and can produce a report that will detail every aspect of access information, such as what accounts exist on what systems, and when the passwords for these accounts were last changed. This provides definitive evidence of what risks a company faces and provides a holistic view of all the organisation’s business systems.
This is, however, only the first step in mitigating such risks. Once the risks are known, it becomes possible to move from mere risk definition to active risk detection, and finally to risk prevention.
With regards to identity governance, such a roadmap could encompass the initial process of determining who works for the organisation. It could then, via reporting, discover whether there are people no longer in the company’s employ that still have access to its systems. Finally, it should lead to a risk prevention strategy that – for example – would put in place structures to ensure that the moment an employee’s contract is terminated, instructions are issued to remove them from all of the systems.
When it comes to access governance, the roadmap would move from being about knowing what should be there and who should be allowed to utilise it, to having ways of determining whether available access is being misused, to a risk prevention strategy that could, for example, prevent an employee from being able to request access to a toxic combination of access (Separation of duties).
Finally, with data governance, the roadmap could include moving from learning whether any information is in breach of compliance legislation, to preventing access to this data, to finally being able to quarantine files that may have been stored in an insecure folder or application.
Ultimately, what this means is that executives need to be aware that the security and governance industry has matured significantly in recent years and the technology spoken about above already exists and has a proven track record.
This means that it is possible to achieve not only risk mitigation, but ultimately risk prevention. As outlined already, the foundation lies in properly understanding what risks the business faces. Once the business moves from a position of ‘not knowing’ to one of ‘knowing’, it becomes a much simpler task to develop a strategy that will enable it to put in place the methodologies and technologies required to mitigate and eventually prevent such risks occurring.