The Identity Management Pendulum: Identity Security Mitigates Access Management Risk
It wasn’t so long ago when it was common to think of identity management as a compliance and enablement tool for large enterprises. The market was borne from a compliance standpoint. Since then, SailPoint has led the evolution of identity into what it is today: foundational to securing and enabling today’s digital cloud enterprise. Today, a large part of the world of identity management has become front and center on security and risk mitigation. Identity security has become the new perimeter or “firewall” for today’s enterprise companies. “Identity management” is now as much about identity security and risk mitigation as it is about providing access. But this story continues, and in fact, has only been accelerated by the events of the past year.
And this is where it gets interesting.
Identity security, our world, is about enabling access and protecting businesses everywhere. It’s not either/or. Access management (sometimes referred to as “IAM” or identity and access management) is simply focused on granting access. It’s about connecting workers to the apps and systems they need to do their jobs in a fast and efficient manner. But that’s where it stops: at the connecting of workers to apps. While a necessary step, enterprises are now asking “How do I secure that access?” “How do I know who is doing what and when?” “How do I protect sensitive business data from risk?”
This underscores this notion of the “dark side” of access management – the opening up of access creates many unintended risk implications. You might even think of it as a pendulum – on the identity security side, it’s about mitigating risk, and on the other side, this dark side is access management, and it invites risk with every door opened if access is left unsecured and ungoverned.
Swing Left: Access Management
Access management allows enterprises to grant workers the access they need to do their job. It sounds like a pretty necessary tool, right? And it is – today’s workforce certainly needs access to technology to be effective in their role. Today’s cloud business runs on technology. This is precisely what digital transformation is all about – the adoption of a slew of technology that drives the cloud enterprise. But in opening the door to grant workers access to all of this technology they now use to do their jobs, access management has just become a risk factor to the business, not a secure enabler.
Businesses can’t safely use technology without identity security. Put simply, no business can safely grant their workforce access to technology without putting proper security controls in place. Who should be given access? Should that access be granted? How long will that worker require that access? These are questions an organization cannot answer without identity security at the foundation.
Swing Right: Identity Security
This brings me to the other side of that pendulum – the side that helps enterprises mitigate their risk – identity security.
With identity security as the bedrock of today’s cloud business, suddenly, IT and security teams have a keen view across the entirety of its workforce, no matter if that workforce is sitting in the four walls of the office or working remotely. With that visibility, now the business has the intel it needs to see and understand all of its workers’ access and to start automating and accelerating the secure management of their access and entitlements to all business systems, data, and cloud services that speed the business forward. The key here is that it is not just about providing access but providing secure access that protects the business versus opening up new avenues of risk.
Picture an organization as a race car.
The business is gearing up to meet its goals for the new year; it’s gaining high velocity, granting access to keep its workers productive on day one, no matter the circumstances. All of a sudden, the business needs to hit the brakes. There’s been a security incident, but this race car was only built to go, go, go no brakes were built in. That’s the scenario if an organization only has access management — you can be speedy but there is no security protocol in place to pump the brakes if needed.
This is where identity security comes in — it allows for speed and brakes in one fell swoop. The security measure is in place to ensure the access you are granting is secure from the get-go, not taken into consideration after the fact. Organizations can’t just reach speeds of 100 mph, then all of a sudden turnaround. They need security measures in place to account for every scenario.
As businesses went into lockdown, granting access to technology that enables employees to work from anywhere was deemed “business essential” at that point in time, really enabling, the race car effect. It has quickly become apparent that providing access to today’s workforce requires strong oversight and security – the brakes, or identity security. Today, there is a new sense of awareness of the risk that technology access can pose to the business if not properly secured.
This is the critical difference that businesses worldwide now see and understand: without identity security, their business is not securely enabled, nor are their business assets fully protected. With identity security, they are fully equipped to reach full velocity and pump the brakes to mitigate risk from the explosion of technology access across the business.
So I have to ask, which side of the pendulum do you want to be on?