Giving Control Back to the Business: Security for the Real World

Phil Allen, EMEA Director, Identity and Access Management, Dell Software Group

Seemingly every day we hear about another company being victimized by a hack or security breach. For example, in the UK, banking groups and governmental organizations such as Lloyds and Glasgow city Council have been reported as experiencing issues with data security recently. And while the majority of these breaches are from outside threats, the amount of loss a company sustains from an internal breach often far exceeds that of external breaches.

A report commissioned by the Department for Business Innovation and Skills (BIS) found that 93% of large UK organizations surveyed have experienced a security breach in the last year, with 87% of small businesses experiencing the same. The report also found that the average cost to a large organization is £450K- £850K, with it being £35- £65K for small businesses – so it’s clear we have a problem to solve.

The problem is that all too often approaches to protect security are not as efficient as they should be, and this is one of the reasons we see many businesses suffering from security breaches. Due to these poor approaches to security in the past, people think security tools always hamper employee productivity and impact business processes. In the real world, if users don’t like the way a system works and they perceive it as getting in the way of productivity, they will not use it and hence the business value of having the system is gone. Identity and access management (IAM) can be the missing link between effective security and keeping the cloud agile. IAM brings cloud security to the real world by ensuring protection while simultaneously keeping systems manageable from the end user, administrator, and executive viewpoints. IAM is about ensuring that the correct people have the correct access at the right time, building security into the cloud, or any system, from the start.  And the security that comes from IAM reflects the simple, common sense we apply in our everyday lives.

Who’s running the show?
Let’s keep in mind that people who ensure our security in our everyday lives are held to a high standard. Police officers, lawyers and judges serve as administrators who follow strict policies when they do their jobs. In the technology world, these people are better known as IT managers and administrators, and IAM ensures they are held to a standard that’s just as high. Police can’t search without a warrant: IT administrators can’t use root passwords without explicit permission within predetermined circumstances.

There are numerous ways to ensure your IAM project is a success. But we’ve noted that the most successful projects in this area are those that have endorsement from a top level. With this in mind it is encouraging to see that the business impact of data breaches are beginning to be taken seriously with 81% of respondents to the Department for BIS report, briefing their board or senior management on cyber risks. However the formality of a data governance plan within an organization is still not well used.

But we still need to get things done
Diversity is the norm. Dealing with that diversity is the challenge. And it’s up to IT to do it in a way that makes life easier for end users, saves money, improves security, and help achieve compliance.

As organizations grapple with these challenges, a few options have emerged:

1. Do nothing.
2. Address problems in isolated pockets.
3. Build a framework on top of everything.
4. Deploy a modular, integrated, business-focused IAM.

Data governance based on roles and responsibilities
Along with establishing who is accountable for the data, a data governance plan defines the level of access for each of those data stewards. The critical need to maintain regulatory compliance has changed the landscape for business today. With transparency and interconnectedness, businesses want governance and oversight to avoid potentially costly compliance breaches.

We recommend a number of measures to secure a good data governance plan:

1. Ensure visibility of relationships between data and people’s access to the data, highlight where access is risky, this will convince employees to participate in data governance as they’ll understand how what they see is relevant.
2. Make sure you are well-connected to your identity and access management solutions, because it’s not going to be possible to know who has access to what data without understanding who is who.
3. Incorporate risk scoring into your strategy in some way so you understand how making changes in access to data will affect your overall risk factor. Access to specific data may not seem to be a risk in isolation, but once it’s weighed with all the other access some individual may have through risk scoring, the potential troubles become clearer.
4. Connect your data governance solution to a means of provisioning and de-provisioning access to data. Make it possible for your business people to plug in to data governance through one interface. If they have to go to five different interfaces to perform all the various governance tasks you ask of them ─ such as governance of group membership, access requests, contractor access, and accumulated access ─ you’ll lose their attention.

The real-world approach to security
Looking to the future, it’s clear that organizations are placing attention on security, with 92% of organizations expecting to spend at least the same or more on security next year, according to the Department for BIS report.

However a common sense approach can be applied to every aspect of security using IAM. Controlling the administrators’ access is just the tip of the IAM iceberg. We’ll need every inch of that ice to deliver the promise of cloud and keep security intact while we do it.