In the first installment in this blog series, we looked at the many trends in the business landscape today (digital transformation, a changing workforce, and the shift to cloud IT infrastructures, among others) that are driving the need for a more comprehensive and integrated IAM solution. In our second blog in this series, we will take a look at why evolving regulatory and threat landscapes, combined with shrinking IT budgets, have necessitated more robust, modern IAM solutions.
A recent survey shows that 95 percent of large enterprises are still only “somewhat aware” of their legal obligations when it comes to complying with today’s privacy regulations. The evolving thoroughness of the auditing process and an increasing demand for varied and detailed reports are at the heart of what makes the audit and compliance process so long and expensive for businesses.
The problem for most businesses today is that while these landscapes have evolved, their legacy IAM systems have not, putting them at risk of failing an audit or—worse yet—a breach. Conducting audits with legacy IAM systems can be a nightmare, particularly with those lacking well-defined approval workflows and reporting.
The combination of regulatory change and heightened regulatory scrutiny is rightfully a top concern for corporate executives. In the early days of compliance regulations, fines were much smaller, so many businesses found it less expensive to pay the fine than to fix the problem. As the compliance regulations have evolved, what were once manageable fines have now become business-crippling penalties with huge fines and even jail time. For example:
Ultimately, these penalties could lead to the demise of the company and the end of certain careers where someone must be held accountable.
To address increasingly strict regulatory controls, companies need modern IAM solutions that go beyond the light project management capabilities of annual campaigns by providing continuous access certifications that ensure entitlements are always up-to-date, while reducing the organizational burden of audit campaigns. Additionally, they need the targeted reporting capabilities of modern solutions that enable less-technical users to easily generate ad-hoc reports and make more informed decisions regarding access approvals and certifications.
In 2016, malware is the greatest cyber threat to businesses, with more than 2,900 new ransomware modifications appearing in just the first quarter of this year, according to Kaspersky Lab's IT Threat Evolution in Q1 2016 report. Clearly, attackers are not only becoming more sophisticated, but they are becoming more successful. That being said, what is the weak link for businesses?
According to IBM’s 2015 Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. Many of these are successful security attacks from increasingly sophisticated external attackers who prey on human errors in order to gain access to sensitive information.
Regardless of intent, a worker’s actions of neglect, such as the loss of a flash drive or falling for a phishing scam can still leave a company in deep water. According to the 2016 Verizon Data Breach Investigations Report, legitimate user credentials were used in most data breaches, with some 63 percent of them resulting from weak, default, or stolen passwords.
Upon gaining network access, cyber hackers install information-stealing malicious software that can reside undetected on corporate servers for months or even years as they slowly expand their reach and access. The result is a slew of high-profile attacks in just the last several years. These include:
The legacy IAM systems that are still in use in the majority of companies are clearly incapable of guarding against these new and greater threats. This is evidenced by:
Even as stakeholders begin to see the inadequacy of current manual process-based IAM, they are pressuring IT to do more with limited financial resources.
It’s obvious that the high cost and complexity of identity-related compliance has put many CIOs and CTOs in a difficult position. This pressure comes from growing stakeholder security and compliance concerns coupled with stagnant or shrinking IT budgets that must resolve those concerns.
Legacy systems that requires a significant hardware infrastructure and manual processes are notoriously expensive to maintain and update with ongoing licensing fees, custom coding fees, and consulting fees that are required any time a change needs to be made. Even if an organization has these skills in-house, equally draining in terms of manpower is the nearly impossible quest to turn these legacy solutions into integrated and interoperable holistic solutions.
Unlike legacy systems, modern IAM solutions are highly configurable and don't rely on custom coding. As a result, they can be rolled out in a matter of weeks, not months or years, and can easily integrate with new applications without any custom code.
Overall, these comprehensive, automated, and integrated IAM solutions are far more user-friendly and self-service-oriented, which results in fewer calls to the help desk. These and other attributes of modern IAM lead to a lower total cost of ownership, better use of scarce resources, and lower IT workloads.