Former Uber CISO Joe Sullivan was recently charged with "obstruction and misprision" for allegedly covering up a hack in connection with a cloud security breach at Uber Technologies. The 2016 breach leaked the personal information of 57 million drivers. Sullivan stands accused of failing to inform authorities of the stolen data, and as a result, he could face up to eight years in jail on charges of obstructing justice and covering up a crime. I do not believe he acted for personal gain; it was probably a case of bad judgment in an effort of trying to protect the Uber brand. Regardless of intent, the personal consequences may be severe. There are a few things to be learned from this case. One key takeaway is that if you are part of a senior management team and responsible for an organization's security and risk, you run the risk of being exposed to dramatic implications both personally and professionally. There are no watertight bulkheads protecting you from personal liability.
What's keeping CISOs up at night
CISOs and other IT leaders, both those with and without good personal judgment, are all painfully aware they must be in strong control of their organization's data to protect themselves and their company. Most do not feel in control as they must handle several moving parts, including a growing number of hacker attacks and insider theft cases, increasingly stringent regulatory requirements like CCPA and GDPR, the rise of cloud computing, the use of shadow IT, and the massive shift to remote work during the COVID-19 pandemic.
According to a survey released by Egress earlier this year, 78% of IT leaders believe their employees put data at risk last year, and 97% cited insider breach risk as a significant concern. And according to IBM's Cost of a Data Breach Report, the average cost of an enterprise data breach is $3.9 million.
The situation is worsening during the pandemic. A report by Coalition released in September found that since the beginning of COVID-19, there's been a 47% increase in the severity of ransomware and a 35% increase in funds transfer fraud and social engineering claims.
The security leaders' vision for IGA
To mitigate the mentioned risks and concerns, organizations must implement appropriate processes and technologies, and one of the cornerstones is a strong identity governance and administration (IGA) solution.
Security leaders are very clear on the benefits IGA can provide. At the highest level, these benefits can be divided into three buckets:
1) Compliance: IGA helps leaders meet compliance requirements by delivering needed reporting, processes, and controls to satisfy internal and external auditors. For example, being able to document how that access is governed is a GDPR compliance requirement.
2) Security and trust: IGA is key to establishing security and trust by ensuring through automation that only the right people have the access they need -- and only the access they need -- when they need it. To accomplish a least privilege access model means you always minimize the number of employees and accounts who have broad or elevated access rights, thereby dramatically reducing the risk of incidents like insider theft. Such a level of risk management instills trust both internally and with business partners.
3) Efficiency: A strong IGA solution can increase efficiency by using automation to onboard new employees and assign entitlements according to a person's role and responsibility, thereby limiting the load on the helpdesk.
But far from all security leaders have accomplished the benefits they envisioned. There are still several organizations that handle their IGA processes manually without a standardized IGA system in place. Perhaps some basic provisioning has often been established, but the rest is being done manually. These businesses can jump directly to a modern IGA solution, but they should follow best practices and ensure their team is fully trained on domain knowledge.
Many organizations have implemented a legacy IAM/IGA on-premises solution, but they're still not realizing the aforementioned benefits, and they're often stretched beyond their resources. These organizations struggle with custom code, which makes the cost of upgrading surpass the price of the product. In addition, they experience resource bottlenecks as few people understand the custom code. It's challenging to address new feature requirements from the business, for example, when they need to add new systems, which drives the need for new controls and processes. And many organizations struggle with obtaining the visibility they need, not to mention the scalability. These shortcomings are prompting more organizations to move to a modern IGA solution. In fact, Gartner noted in July that "SaaS adoption for IAM services continues to grow, driven by digital transformation initiatives."
Examining modern IGA vs. legacy IGA
With SaaS-based modern IGA, organizations can implement streamlined processes without custom code to ensure business agility and easy upgrades. Benefits of modern IGA include support for best practices and the ability to define and modify business processes and controls through configuration (which is different from customization) and without the need for compilation.
Further, Modern IGA provides automated updates and flexible deployment of changes. Configuration changes are transported in change sets through a tiered deployment environment. This eliminates redundancy and maintains consistency.
Modern SaaS features also include a higher availability of service and full access to operational insights. With this kind of system, it is much easier to bring data into your system across multiple sources and systems. Real-life data are never perfect, and a modern IGA solution helps you deal with imperfect data and remediate poor data quality, such as duplicate records, wrong job titles, and so on. And last but not least, a modern IGA solution supports a phased project approach to deliver value fast to the business. You want to avoid a big bang implementation. And you do not want to start with a 'decoupled role mining project' that you risk will go on for a century while the world continues to evolve.
Bringing it all together
A modern IGA solution combined with best practice processes and a proven implementation approach can dramatically improve an organization's ability to grapple with compliance, security, and trust in a far more efficient way. And that means security leaders can sleep a little better at night.
Morten Boel Sigurdsson is founder and president of North America, Omada.