From Blind Spots to Full Overview – Access Governance in Hybrid Scenarios
Identity Governance and Administration (IGA) practitioners sometimes become blind to the increasing impact of hybrid IT scenarios, running the risk of staying too focused on their customary views.
Have you ever experienced the “blind spot” in your eye? It’s a small area in the retina where the optic nerve enters the eye and no photoreceptors are present. It makes some things invisible even though they are in your field of vision. It is my impression that the IT user administration practitioners sometimes run the risk of developing “blind spots”, relying on and staying too focused on their customary views for access control, even though the effects of increased digitalization can be seen everywhere in today’s organizations. We see that companies are faced with challenges due to more and more “hybrid” IT scenarios, deployment of complex technologies and introduction of digital business processes across multi-connected IT environments. From an identity governance perspective, not seeing nor addressing these challenges quickly leads to organizations completely losing their overview and ability to master security risks. But what should we pay concrete attention to?
One key characteristic of hybrid IT is the opening up of parts of the organization’s IT infrastructure to partners, customers and other outsiders, to be able to deliver services or to be part in a supply chain. Another characteristic is the use of cloud applications and cloud infrastructure.
Clouds in your strategy and execution
When making a strategic move to the cloud and adopting new technologies, both governance practitioners and business managers need to acknowledge that access governance policies must be extended and enhanced accordingly. Failing to do so will evoke blind spots in identity governance and lead to security risks. For IT security teams it is of key importance to invest in expert knowledge on new platforms early on in the project, and to extend governance procedures to external users which might not be in the scope of established Identity and Access Management procedures.
Due to fast-changing business models, many business units are flexibly subscribing to cloud services on their own behalf – oftentimes without involving IT Governance departments, making these services invisible for the corporate access governance procedures. Furthermore, for these services, the business units will not be able to benefit from any automation provided by the established corporate identity lifecycle management. Business and IT need to make a joint effort to remediate this situation. If IT can provide a fast and non-bureaucratic onboarding of the new services to the company’s IGA platform, business owners will much more easily see the benefits they get from IGA.
Collaboration platforms such as SharePoint Online make it easy to exchange information between companies. But again, traditional governance processes need to be enhanced. For SharePoint, external users can be invited and immediately get guest accounts in Azure AD. However, in many companies these accounts are unsupervised and pose a considerable security risk. Introducing periodic access reviews, access request procedures, and assigning internal owners for the external identities will put companies back in control of these guests.
So how do you improve alignment in a hybrid IT world?
To consider how we can systematically align access management and governance with the requirements in a hybrid IT world we need to take a step back and consider the issues through a macro lens. I have structured them into five key areas:
- Security:
Like with any legacy application and system, you need to familiarize yourself with the security concepts of cloud applications and cloud infrastructure platforms. You need to understand how to protect the platform or application. From a governance perspective, you should decide who really needs access and how you remove it from those who already have it but shouldn’t. Policies like Segregation of Duty need to be extended to the cloud platforms. Customers and partners must understand that you care about security, and that it is not a static state of being – take them on the journey with you. When working with partners, new models for responsibilities must be set up: you may establish policies to delegate access management tasks to the partner organization, while still you keep the overall control. Avoid getting into the same mess of the past where you might have with insufficient Active Directory group concepts or SharePoint access management! - Compliance:
If new services are provided to the business, it goes without saying that existing compliance policies must be adhered to. Business flexibility is not an excuse for neglecting personal data protection and data proliferation regulations such as GDPR, industry-specific legislation such as recertification requirements in finance, or internal information classification and data ownership standards. - User Convenience:
When an increasing number of cloud services is needed for the daily work, end users start to struggle with storing URLs, memorizing passwords or finding the right persons who can grant them access. In a scenario where internal and external users access both on-premises and cloud applications, a comprehensive Single-Sign-On concept is needed, as well as a central landing page for access to all applications. - Dynamics:
Digitalization enables the changing of business models at a higher pace. News sourcing models are tried out and established, services are subscribed to and decommissioned, partnerships are created and abandoned, regulatory requirements are ever increasing. In this context, IGA teams can only survive if they can react in a timely fashion. They need an IGA solution which enables them to reconfigure access policies and governance policies quickly, to on- and off-board all types of new apps with minimal effort, and to master the change management that comes along with organizational shifts. - Scalability:
Collaboration implies that more people are using corporate applications, and that the turnover rate is increasing too. The amount of managed identities might increase from a couple of thousand to a million or more. IGA teams need to consider how they can scale while the team size is not necessarily proportionately growing. They can only be successful with an IGA solution that provides a high degree of automation, and that offers the possibility to distribute and delegate the work appropriately.
When the organization moves to a hybrid IT world, IGA teams must think ahead and be agile enough to prepare for future scenarios. Unless they do, the transition will be ungoverned, and the organization will be vulnerable. You need to have both your eyes open so that an attacker cannot hide in a blind spot.
