Understanding the evolving role of identity governance
With 2018 in full swing, I’ve been on the road talking to customers and prospects about their identity journey. It’s given me a chance to take the pulse of what enterprises are struggling with most today, where their big wins have been, and what their expectations are as they look ahead to the next 12–24 months.
During these meetings, on more than one occasion, I’ve been asked the following question: Do you see the role of identity governance changing?
My answer each time has remained the same: "Identity governance has always been evolving and will continue to evolve to meet the expanding needs of our customers."
To be clear, our vision for identity governance has always been focused on providing visibility, automation and control over who has access to what in the enterprise, and ensuring that that access is appropriate for the individual’s relationship with the organisation.
We see identity as being squarely in the centre of IT operations supporting security initiatives, compliance programs and operational efficiency. As identity leaders, we have always believed that to properly manage identity, organisations must take a governance-based approach.
But, as business challenges change, the scope of what capabilities support identity governance must also evolve. So, while our vision of identity governance hasn’t changed, the capabilities that fall into that area continue to evolve.
This evolution and expansion is true of all vibrant and dynamic markets. But sometimes the rapid evolution of a market results in confusion about what product categories support which customer needs, and overlapping (and sometimes inflated) vendor claims only serve to make this worse.
Addressing this confusion is an important step towards ensuring you are applying the right solutions to the appropriate problem areas in order to meet your business requirements.
Here are three areas of confusion that I’ve come across in my conversations with customers that I think warrant discussion:
Single sign-on will solve my security problems
Single sign-on (SSO) is a great tool for giving users easy access to the applications they use on a regular basis. It can, in fact, provide some measure of added security in that it that it can be used to reduce the number of passwords an individual needs to remember and maintain.
However, SSO without management of who should have that access to begin with (or what that access allows them to do at a granular level) is not going to provide the necessary levels of visibility and control needed for a secure organisation.
Data governance and identity management are two different things
As the sheer volume of data stored in documents, spreadsheets and presentations increases, organisations are struggling with how to manage access to it. Often the data in these files was extracted from the same applications and databases we work so hard to ensure appropriate access to with identity governance.
So why would you want to deploy a completely different solution to address unstructured versus structured data governance?
Provisioning hasn’t changed in 20 years, so my legacy solution is sufficient
Yes and no. It is true that the core use cases for provisioning – workflow-driven processes for requesting, approving, granting and revoking granular access to applications and systems – have not changed in principle for 20 years.
The big change is that access request and review are now viewed as ‘business processes’, not just an IT problem. After all, to effectively control who has access to what, you’ve got to engage the people in the organisation who are doing the hiring, transferring and off boarding of people.
These are typically people outside the IT department – people in the line of business.
And these non-technical resources need solutions that are intuitive, easy to use, and capable of translating the myriad IT details that comprise access privileges into a language they can understand. First-generation solutions were never designed for this kind of user and therefore fall woefully short on meeting the needs of the business user.
By now, one would hope that confusion around these topics is a thing of the past for your organisation, but I find that I still occasionally need to clarify them with customers.
The reality is that the definition of identity governance will continue to evolve and expand to account for the dynamic and ever-changing identity needs of businesses.
These changes are something we’ve all come to expect and recognise as inevitable but, importantly, they are also what allow our businesses themselves to grow and expand.