In the first installment in this blog series, we looked at the many trends in the business landscape today (digital transformation, a changing workforce, and the shift to cloud IT infrastructures, among others) that are driving the need for a more comprehensive and integrated IAM solution. In our second blog in this series, we will take a look at why evolving regulatory and threat landscapes, combined with shrinking IT budgets, have necessitated more robust, modern IAM solutions.
Increasingly Strict Regulatory Controls
A recent survey shows that 95 percent of large enterprises are still only “somewhat aware” of their legal obligations when it comes to complying with today’s privacy regulations. The evolving thoroughness of the auditing process and an increasing demand for varied and detailed reports are at the heart of what makes the audit and compliance process so long and expensive for businesses.
The problem for most businesses today is that while these landscapes have evolved, their legacy IAM systems have not, putting them at risk of failing an audit or—worse yet—a breach. Conducting audits with legacy IAM systems can be a nightmare, particularly with those lacking well-defined approval workflows and reporting.
The combination of regulatory change and heightened regulatory scrutiny is rightfully a top concern for corporate executives. In the early days of compliance regulations, fines were much smaller, so many businesses found it less expensive to pay the fine than to fix the problem. As the compliance regulations have evolved, what were once manageable fines have now become business-crippling penalties with huge fines and even jail time. For example:
- HIPAA fines for violations can reach up to $1.5 million.
- PCI penalties for non-compliance include fines from $5,000 to $100,000 per month, increased transaction fees, and termination of the banking relationship.
- GLB violations can result in imprisonment and individual fines of up to $1 million.
- Businesses spent, on average, $500,000 to more than $1 million on SOX compliance, according to the latest annual Sarbanes–Oxley Compliance Survey.
Ultimately, these penalties could lead to the demise of the company and the end of certain careers where someone must be held accountable.
To address increasingly strict regulatory controls, companies need modern IAM solutions that go beyond the light project management capabilities of annual campaigns by providing continuous access certifications that ensure entitlements are always up-to-date, while reducing the organizational burden of audit campaigns. Additionally, they need the targeted reporting capabilities of modern solutions that enable less-technical users to easily generate ad-hoc reports and make more informed decisions regarding access approvals and certifications.
The Growing Security-Threat Landscape
In 2016, malware is the greatest cyber threat to businesses, with more than 2,900 new ransomware modifications appearing in just the first quarter of this year, according to Kaspersky Lab's IT Threat Evolution in Q1 2016 report. Clearly, attackers are not only becoming more sophisticated, but they are becoming more successful. That being said, what is the weak link for businesses?
According to IBM’s 2015 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. Many of these are successful security attacks from increasingly sophisticated external attackers who prey on human errors in order to gain access to sensitive information.
Regardless of intent, a worker’s actions of neglect, such as the loss of a flash drive or falling for a phishing scam can still leave a company in deep water. According to the 2016 Verizon Data Breach Investigations Report, legitimate user credentials were used in most data breaches, with some 63 percent of them resulting from weak, default, or stolen passwords.
Upon gaining network access, cyber hackers install information-stealing malicious software that can reside undetected on corporate servers for months or even years as they slowly expand their reach and access. The result is a slew of high-profile attacks in just the last several years. These include:
- The recent Sony hack, whereby attackers obtained and deleted terabytes of information, wreaking havoc on Sony’s movie-business interests
- The Target breach that exposed approximately 40 million debit and credit card accounts, with losses estimated at nearly half a billion dollars
The legacy IAM systems that are still in use in the majority of companies are clearly incapable of guarding against these new and greater threats. This is evidenced by:
- A lack of strong authentication methodologies, which protect a system from being accessed by someone who has legitimate credentials, but isn’t who they say they are.
- Poor or non-existent privileged access management, which results in administrative accounts being used excessively or shared between employees, opening up the organization to risk if an employee leaves or log-in credentials are stolen.
- Poor lifecycle management functionalities, which leaves processes like deprovisioning and yearly access audits up to manual, step-by-step methods that introduce human error.
- An inability to effectively support SSO for cloud applications and services, which is a necessity as organizations increasingly rely on cloud-based applications, and IAM security around each app is vital.
Even as stakeholders begin to see the inadequacy of current manual process-based IAM, they are pressuring IT to do more with limited financial resources.
Pressure to Do More With Less
It’s obvious that the high cost and complexity of identity-related compliance has put many CIOs and CTOs in a difficult position. This pressure comes from growing stakeholder security and compliance concerns coupled with stagnant or shrinking IT budgets that must resolve those concerns.
Legacy systems that requires a significant hardware infrastructure and manual processes are notoriously expensive to maintain and update with ongoing licensing fees, custom coding fees, and consulting fees that are required any time a change needs to be made. Even if an organization has these skills in-house, equally draining in terms of manpower is the nearly impossible quest to turn these legacy solutions into integrated and interoperable holistic solutions.
Unlike legacy systems, modern IAM solutions are highly configurable and don't rely on custom coding. As a result, they can be rolled out in a matter of weeks, not months or years, and can easily integrate with new applications without any custom code.
Overall, these comprehensive, automated, and integrated IAM solutions are far more user-friendly and self-service-oriented, which results in fewer calls to the help desk. These and other attributes of modern IAM lead to a lower total cost of ownership, better use of scarce resources, and lower IT workloads.