This article describes the challenges associated with access governance associated with remote workplaces. It explores the business requirements and the capabilities required to choose the right identity and data access governance solution, with a set of strategic selection criteria.
Introduction
In the last few years organizations were forced to suddenly shift to remote work, and most of them were unprepared. This triggered individual departments to rapidly implement tactical, make-do solutions to avoid a complete work halt. The task usually takes six years and was crammed into six months, which was both exciting and unsettling. Unlike a typical large-scale digital transformation, there was no time for months of strategic planning and testing.
As departments adopted their own solutions with little oversight or governance, it simultaneously created unfamiliar problems for the organization like disjointed endpoint environments, technology sprawl, and even worse, frustrated end users. How to ensure that sensitive data is properly collected, stored, and operationalized in accordance with regulatory standards and owner preferences.
As per industry reports 44% of workers operating from home for five or more days a week – compared with 17% pre-pandemic – massively expanded the perimeter to be safeguarded by IT and governance teams. As more strategic data started residing in hostile, unmanaged territory out of enterprise control, the risks to data security and privacy increased exponentially.
Even as life returns to normal, it is expected that up to 25% of the US workforce will continue indefinitely to work outside of the office. Combined with this, rising concerns over data privacy have led to a proliferation of data protection standards that demand stringent compliance.
Governance Challenges in Remote Workplace
The COVID-19 pandemic caught most enterprises by surprise, they were forced to adopt a remote workforce model overnight. The accidental nature of this abrupt change cannot be overstated: businesses had to scramble to ensure that their employees could work from home reliably and securely. Keeping cybersecurity and identity management standards consistent across an even more decentralized IT environment proves a daunting challenge in the best of times. These were far from the best of times.
Though we may come out from the aftereffects of this pandemic sooner or later, however remote work is the new normal. That means we need to ensure that the cybersecurity and identity management tools and capabilities that are deployed for a remote workforce can maintain a consistent layer and scale with new employees.
But what does this have to do with identity governance? Why does it have new importance for remote workforces?
Change in onboarding and offboarding process
Since the new employee need to join the workforce remotely, they must get all required permissions to perform their work from day one so that the business is efficient and corresponds to cybersecurity best practices.
Any user should not get the incorrect permissions (over or less than required), and they should not be left at the mercy of the IT team to correct the problem using service tickets, email follow-ups, or phone calls to help desks.
In a similar fashion if someone leaves the organization all the access and permissions should be revoked so that we have a perfect defense against insider attacks and external threat actors
The workforce model has been shifted to work from anywhere, any device model, the modern workforce IAM system has a new challenge to provide “secure” access to applications and services deployed in a hybrid environment
Identity sprawl/Siloed User Directories
Identity sprawl (aka Siloed User Directories) refers to a situation where a user’s identity is managed by multiple siloed systems/directories that are not synchronized with each other, resulting in multiple identities for each user. For large enterprises’ one of the reasons is mergers and acquisitions. The situation often arises when an application/system is not, or cannot be, integrated with the central directory service of the organization, resulting in the need to manage another set of user identities to support access to that application/system. Identity sprawl has been a problem for organizations adopting cloud services that operated a separate identity silo, which meant users needed a separate identity for the cloud service.
Inefficient Role Management and Least Privilege
The remote workforce is performing work from outside corporate network boundaries, and monitoring employees’ accounts become a new kind of challenge (and it was not easy before).
Organizations are utilizing applications in hybrid environments; they tend to implement segregated access governance and administration tools for on-prem applications and cloud applications. This segregated solution introduces multiple challenges to the IT Administrators such as the absence of a unified access view, inconsistent access requests, and approval processes across applications
New widened enterprise network perimeter
Although enterprises were moving cloud infrastructures and applications, still it was in the process of transition. The need to allow remote work a sudden acceleration in the transition, often beyond the capabilities of enterprises’ cybersecurity to keep up.
Now organizations are looking to embrace Software-as-a-Service (SaaS) faster than ever. They have a new challenge with a workforce that may want to transition back to the office, stay remote, or try contract work. From a business perspective, these transitions may be good; they allow enterprises to embrace cloud collaboration and capabilities and improve work productivity regardless of their location.
However, this sudden transition has created a larger, more porous digital perimeter that has been proven much harder to secure. Every new endpoint gives hackers an opportunity to infiltrate the network. It creates a new problem with visibility. Does your IT team know all the legitimate devices connecting to the network? Can it maintain visibility over all the permissions of your workers and databases? Without this visibility, your cybersecurity cannot function optimally.
Siloed Compliance Dashboard: Who Has Access to What?
One of the challenges for IT administrators is to provide reports of the current identity and access management landscape, a single view from where a CISO can see who has access to what in the whole enterprise. This single unified portal must provide dashboards for identities, accounts, access patterns, privileged accounts and access patterns, identity, and access analytics, etc.
The IT administrator faces the challenge of collating data from various sources, transforming them
to make presentable to ‘C’ level executives.
Although enterprises were moving towards cloud infrastructures and applications, still it was in the process of transition. The need to allow remote work a sudden acceleration in the transition, often beyond the capabilities of enterprises’ cybersecurity to keep up.
Increased complexity of data management
Two factors are driving the increasing complexity of data management. One is the sheer increase in the volume and velocity of data creation, which makes it harder to identify and mitigate sensitive data. The explosion in the rate of data creation poses challenges to compliance.
In response to rising concerns over data privacy, regulatory agreements have been established at state, national, and global levels to facilitate the protection of sensitive information. Such standards include HIPAA, GDPR, PCI, and California Data Protection and each has its own requirements for compliance, failure to meet them can result in punitive fines and fees, as well as legal liability for companies and organizations.
This means that as well as being able to keep track of sensitive data, companies must have data classification capabilities that enable them to dynamically tag data as it is added, moved, copied, or altered, and protect it in terms of how and by whom it can be accessed or used in compliance with regulatory standards.
What a Governance solution should do?
An ideal workforce governance solution must empower the workforce to be productive from anywhere. It should reduce the cost and provide seamless secure access to user experience and self-service.
Moving away from perimeter-based security to the ZeroTrust model is no longer an option. Apart from the situation created by the COVID-19 pandemic and the uncertainty of resuming work from an office, many companies are looking at moving employees out of the office to cut costs, reduce downtime due to commuting, and improve employees' work-life balance
The solution must be cost-effective while reducing the risks. It must help to reduce operational inefficiencies, such as certification rubber-stamping and manual provisioning/de-provisioning, resulting in lost productivity, increased risk from orphaned accounts, wasted time and money, and overpayment for unused accounts.
Unified identity vault/User Directories
The workforce IAM must provide a central identity vault/user directory which should work as the sole source of truth. The enterprise application may have its own identity repository however it must be coordinated with a central unified identity vault.
Automated onboarding and offboarding process
The complete lifecycle of users within the organization must be automated from user onboarding to offboarding. The process should be streamlined in such a way that new employees, contractors, vendors, and partners must have enough permission to work efficiently from day one.
All-access and permission should be revoked once the employee leaves the organization. This will allow the organization to reduce manual errors, shrink the threat landscape, improve employee experience, reduce IT costs, and be compliant with legal regulations.
Access Review and attestation
All accounts that have access to critical, sensitive data, applications, or services must be periodically reviewed by managers, application, and data owners, they must attest that the user still needs the access to perform their daily jobs. This review and attestation process must be extended to all accounts including service accounts, privileged accounts as well as BOT (digital worker) accounts.
This process must be able to detect orphan accounts in the system. Whenever a user moves out or within an organization to a different business unit their accounts are properly off-boarded from systems. Orphaned accounts are often goldmines for hackers where they can gather credentials and identities to breach and attack businesses. All orphaned accounts must be removed from the system.
.
"If you only rely on the point of access, there is no check afterward. You want to constantly verify that the user assigned that identity is doing what you think they should be doing. If we just let them in and let them go, then we lose visibility into what actions they are taking on the network." —Robert MacDonald
Embark on zero-trust approach journey
A zero-trust model is based on “No Trust,” which mandates to secure each user, each device, and each connection each time. It enforces to unify and integrate all security tools to protect all valuable assets and proactively manage threats.
Zero trust requires mandatory verification, both inside and outside the network, to be able to access data and resources from every device the end user has. This will ensure data security for remote workers who use multiple devices and applications outside corporate networks.
Businesses should be wary of everything on the internet. In fact, even on-premises or offline applications can be breached by hackers, scammers, and fraudsters. The ZeroTrust philosophy should be part of life by continuously authenticating identities and user access.
ZeroTrust philosophy must be adopted into remote work policies and protocols so that the remote workforce will be guided accordingly. One fitting example would be implementing adaptive risk-based authentication for each access request to resource
Least Privilege Principle
The policies and processes should provide enough access to users to perform the job, not less, not more. In the case of self-service access requests an approval workflow must be implemented to enable users.
The governance solution can provide the risk score to the approving authority to assist in making decisions. The risk score can be arrived at based on data, application criticality as well as user profile, role, and history.
Data Access Governance
An organization seeking effective and integrated data access governance requires the following capabilities from the Data Access Governance solution.
- Data Discovery The solution must be able to discover the data within the organization, within the corporate network, on the cloud, and on user devices, whether data is online or offline, The discovery mechanism should include all platforms, operating systems, or applications in which it resides
- Data Classification: The solution must have the ability to classify data to comply with industry and regulatory standards
- Enforce Data Access Policies: The solution should have capabilities to enforce data access policies across operating systems, and data storage solutions
- Data Access Review and Attestation. Like identity access review and arrestation, the solution must provide the capability to review access to unstructured data and grant/revoke access as part of the access review process.
How to choose a solution?
The solution must provide secure access, effective governance, scalable automation, and actionable insight so that customers can achieve greater confidence in their IT security posture across cloud, mobile, and data platforms.
Availability and scalability
The IAM infrastructure for any organization is the most critical IT system as it works as a gateway for each digital asset of the organization. The solution must be proven to provide high-availability IAM infrastructure. It has proven to provide round-the-clock undisrupted access to all critical assets without any downtime.
The other critical factor for any organization is business growth as well as the seasonal spike in traffic. The IAM solution must be capable of managing the projected business growth which will result in an increase in the number of identities, applications, and digital assets.
Open standards support
With the business growth, the IT system should be agile enough so that we can collaborate with our partners. This requires integration with partners, vendors, and third-party ecosystems.
To cater to this integration requirement the IAM system should support all industry-accepted open standards. The solution must be designed to support all industry-recognized open standards such as SAML, OAuth, OIDC, W3C, and SCIM.
Implement ZeroTrust
Zero Trust is a security philosophy based on the default approach that organizations should not automatically trust anything inside (commonly labeled the intranet) or outside their secured perimeter. Rather, security-wise, everything is treated the same and anything that is trying to connect to its systems must be verified before being granted access.
Moving to a zero-trust security model means you need to assume that both the network and all the services using it are potentially hostile. This is a major shift for any IT organization that, for decades, has depended on the intranet model. As such, this foundational transformation will need to happen piecemeal—either in terms of selecting portions of your environment to upgrade or identifying portals of the Zero Trust model that give you the biggest bang for the security buck to focus on first.
Minimize Your Attack Surfaces
Role-based access control (RBAC) and least-privilege access reduce organizations’ digital attack surface by restricting users’ ability to access network resources based on their individual positions and responsibilities. In addition to mitigating insider threats, this ensures that threat actors don’t end up with the “keys to the kingdom” should a user be compromised.
For your applications that support federation protocols (such as SAML2, OAuth, or WSFederation), the solution should offer IdP support. However, you can also use it to add another layer of protection for your applications, services, and other resources.
Emphasis on Least Privilege
The governance provides an efficient process that keeps your access permissions current, which is incredibly important to securing your environment. This is especially true for your privileged administrators and users who collaborate with your customers’ sensitive or regulated information. Identity Governance automates both the identity and permissions lifecycle and administration. This enables you to quickly see which users should have and do have permissions to protect information and to centrally remediate access risks across your entire environment.
No comments:
Post a Comment