February 13, 2018 By Michael Bunyard 3 min read

Many organizations do not keep well-documented records of where all their data is housed. This is a serious problem with so many new regulations requiring companies to be more accountable for protecting information.

Does your organization know exactly who its users are, what they’re entitled to access and where the information they’re accessing is stored? Perhaps more importantly, do you trust the people who are providing access permissions?

Addressing Identity Governance Challenges

As organizations grow, the responsibility of making appropriate access decisions often falls to line-of-business (LOB) managers. This decentralization of access management and employees’ frustration regarding these processes are some of the top headaches related to identity governance and access management.

However, business managers are increasingly expected to recertify their employees’ access, ensuring that they have the proper entitlements to business resources. They are the ones IT counts on to raise the red flag when, for example, an employee can both issue a purchase order and distribute a check — a clear segregation-of-duties (SOD) violation. Identity governance and access management play crucial roles in monitoring SOD and complying with emerging regulations.

Speaking the Language of Business

The identity and access management (IAM) tools many organizations have in place are often not well-understood by the very people tasked with governing access. Users need to be able to communicate in plain business language, but when asked to recertify access, LOB managers are often handed a report with technical lists of resources that are mostly unintelligible to a business user. As a result, recertification gets a rubber stamp and the user is left with a toxic combination of permissions and excessive entitlements. When identity governance is compromised, the organization is left vulnerable to security and compliance violations.

Companies can solve this problem by investing in identity governance and intelligence (IGI) solutions that address the business requirements of LOB and compliance mangers, auditors and risk managers. IGI provides a business activity-based modeling approach that simplifies the user access and roles design, review and certification processes. With this approach, you can establish trust between IT and business managers around business activities and permissions, making workflows understandable for nontechnical users.

It’s just as important to invest in solutions that provide silent security, which works in the background to connect users, applications and people to the information and applications they need, standing in the way only when bad actors are detected. This helps minimize user frustration with access management processes.

Simplification Is the Key to Data Security

IGI solutions enable security teams to leverage powerful analytics to make informed decisions about identity, give users the applications and the flexible data access they need, and help to ensure compliance with ever-evolving regulations. Security leaders can use these tools to manage access certifications, onboarding and offboarding processes, and restrict access based on each user’s ongoing, demonstrated need — also known as the principle of least privilege. Even if recertifications fall squarely on the shoulders of business leaders, managers can use solutions that communicate in terms they can understand, and IT can establish trust that end-user certifications are indeed valid.

With a comprehensive identity governance solution that offers controls and visibility from a single application, security professionals can verify users’ identities and determine whether they have the legitimate access they need. They can also implement an identity and governance solution that seamlessly integrates with even the most complex business platforms, including SAP, mainframe and midrange systems.

Tighter IT governance requirements are making security operations more difficult, but security solutions that work in the background enable organizations to strengthen their security posture and compliance footing in the face of new and upcoming regulatory requirements. With identity governance, simplification is the key to keeping resources safe while enabling business managers to do what IT needs to trust them to do.

Learn More about identity governance and intelligence

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today