According to the new 2016 Verizon Data Breach Investigations Report (DBIR), legitimate user credentials were used in most data breaches, with some 63 percent of them using weak, default, or stolen passwords. This may come as some surprise to businesses that are not yet victims of such breaches as they continue to utilize homegrown, piecemeal, or legacy identity access management (IAM) solutions. While your CIO is focused on perimeter defense, your challenge is to shift this focus to the need for a more robust, modern, and integrated IAM solution, which is easier said than done.
Old school perimeter thinking focuses preventing attack against the network from the outside and investing heavily in security solutions such as firewalls and malware protection.
The reality is that today’s intruder isn’t looking to crash through walls, but to simply and stealthily slip through an open door (as a matter of fact, new thinking requires you to assume they are already in your network). Now the situation is hackers stealing credentials, moving around the system, and elevating their privileges until they find the proverbial “pot of gold.” Some intruders are just being destructive; others sell your information for money.
C-level executives and IT professionals who are just focused on perimeter security are putting both their company and careers in serious jeopardy.
Convincing your CIO that more care needs to be taken to secure the identities and access rights of a growing user base, requires a mental and priority shift as well as new solutions. Intelligent, modern IAM solutions address today’s security threat proactively, rather than reactively, via automation and consistent application of standards and policies.
To get CIO buy-in, you have to make the case for why the current method is putting the business at risk and why modern IAM solutions are the key to an agile, cost-effective, and highly secure business, which means abandoning the homegrown and legacy solutions.
Why Modern IAM Is Needed
- A business’ digital transformation is not only about surviving in the age of digital disruption, but also thriving and gaining a competitive advantage, so CIO’s must be highly focused on ways to move from legacy infrastructure to an adaptable, digital ecosystem. Digitally transformed businesses typically develop an ecosystem that blurs the lines between supply chain, partner, customer, crowd, and employee, and both strategy and execution are heavily influenced by this ecosystem. In this new digital landscape where customers, partners, and employees all collaborate and share data with an increasing number of cloud-based software applications, access management and challenges are a reality on a global scale. This situation means that identities must be authorized and managed and personal information protected. Failure to do so can result in data breach headlines, devastating fines and loss of trust with customers and partners.
- A changing workforce is the new reality. According to Ardent Partners’ State of the Contingent Workforce Report, 32% of the average company’s overall workforce is contingent or contract base, and this statistic is expected to grow to nearly 45% by the end of 2017. A Workforce 2020 study by Oxford Economics stated that 83 percent of executives plan to increasingly use contingent workers on an ongoing basis.
This fact creates pressure on businesses to meet the identity and access needs of a growing, revolving-door workforce. Contract and contingent workers need quick onboarding and access to business critical systems in order to be productive, which is clearly outside the scope of homegrown access management solutions entirely. Deprovisioning is equally as important as contingent workers (who are typically less vetted and less loyal) churn and new employees are hired. If contingent workers’ identities and access isn’t managed with the same rigor as full-time employees, the organization is at risk.
- The rise of mobility is a clear indicator of the digital business shift, as the workforce must be productive from anywhere at any time. More people are working virtually, and with less people confined to an office, connection is necessary through technology on both traditional and mobile devices (often their own).
IT is no longer in control as users are trusted to do the right thing with their own technology. This equates to an increased need for secure, remote access to applications and network systems for all employees, across all devices. A modern IAM solution will meet this requirement and make the device-and-location-limitations of homegrown systems a thing of the past.
- The cloud-first business is now nearly ubiquitous and is a cornerstone of digital transformation, the changing workforce, and the rise of mobility. As companies move to the cloud, whether that be hybrid or all-in, there will be new security challenges. Company data is no longer within IT control, which means that security is only possible through ensuring the right people have access to it.
Just as your CIO has to build the stakeholder case for the efficiencies, agility, and ROI of migrating from legacy systems to the cloud stack (for example), so too can you see an opening to show how modern, integrated, and automated IAM is integral to that change.
- Shadow IT is now a fact of life due to the decentralized nature of the cloud. Departments and individuals within the workforce can implement cloud services for storage and usage without going through corporate-managed IT systems. Those services’ tendency to handle user authentication through their own services will continue to challenge notions of security control—not only because of their distributed nature, but because their single sign-on (SSO), multi-factor authorization (MFA), and federated identity management (FIM) support tends to be relatively immature.
That leaves businesses with no idea about what accounts their employees are using on what cloud-based services—and no way to control the business data that might be stored on those services. Although social media services, like Facebook and Twitter, have pioneered identity federation by enabling log-ons to a range of third-party services, integrating those identities with corporate directory services remains a sticking point. As a consequence, the increasing use of cloud-based services is driving the need for better and more interactive SSO, MFA, and FIM solutions as part of an integrated and automated IAM solution.
Recognizing the more fluid nature of user authentication in the digital age may not have been your CIO’s immediate focus. That is primarily due to the fact that he or she cannot see the connection between IAM and reaching the organization’s goals. Making the business case is about providing the CIO with information on how homegrown legacy IAM solutions have major vulnerabilities and how a modern IAM solution is the cornerstone of future competitiveness, agility, and productivity in an ever-changing world.
Stay tuned for more in this blog post series with Part 2: the raising stakes for IAM including regulations, the growing security-threat landscape, and the pressure to do more with less and Part 3: the benefits and cost savings of a modern IAM solution.