The growing complexity of today’s IT environments, compounded by decreased IT budgets and the adoption of new technologies like cloud and mobile devices, has exposed today’s organisations to more risks than ever before.
As a result, organisations face a massive challenge: how do they balance the need for flexible and open access to their company’s IT infrastructure (so business can be conducted) with the need to mitigate risks associated with that access (so bad things don’t happen)?
Effectively managing IT risk requires corporate diligence above and beyond simple security checklist. Companies must achieve a level of transparency and risk management that protects against real security threats that exist inside their organization.
There are three primary strategies organisations should pursue for managing risk in association with securing their IT infrastructure.
1. They must instill a risk management discipline across the organisation
This requires a formal categorization of risks in order to understand potential threats and vulnerabilities, and to implement the appropriate set of controls to balance the business’ need for convenience, usability, and availability with the need for security measures that mitigate risk. This includes implementing the necessary controls to eliminate specific risks such as workers who hold access privileges they don’t need, terminated workers whose access privileges are not removed, or toxic combinations of access privileges that increase the potential for fraud, etc.
2. To effectively address risk, organisations must deploy “identity intelligence” tools that provide visibility and improve control across large numbers of enterprise systems, applications and data
In order to achieve transparency and better manage risk, the organisation will need to inventory, analyze and understand the access privileges granted to employees, partners, and sometimes even customers — and to be ready to answer the critical question on demand: “Who has access to what?” Compiling and correlating this data manually is usually not a viable approach due to the complexity of the IT environment and the frequency of changes that routinely occur to user populations. Therefore, an automated approach that provides data on demand is required.
3. The overall security strategy must foster collaboration between business staff and IT staff in order to effectively manage risk
Addressing risk requires business-level participation, as business managers need to align IT operational policies to business policies and priorities. Likewise, IT is in the best position to gather the data on who has access to what and report back to the business people to let them determine if that access is correct or not.
Managing risk is no easy task, and certainly, no one technology can address all aspects. But as organisations struggle to address today’s business requirements, a governance-based approach to identity management enables an organization to create a cross-department, enterprise-wide process with a layer of intelligence to give enterprises the business insights needed to strengthen IT controls and reduce operational risk. The better a company understands which users have access to which corporate assets, the better it can realistically understand its potential security vulnerabilities.