As companies make more extensive use of evermore capable – and complex — digital systems, what has remained constant is the innumerable paths left wide open for threat actors to waltz through.
So why hasn’t the corporate sector been more effective at locking down access for users? It’s not for lack of trying. I recently discussed this with Chris Curcio, vice-president of channel sales at Optimal IdM, a Tampa, Fla.-based supplier of identity access management (IAM) systems, which recently announced a partnership with Omada, a Copenhagen-based provider of identity governance administration (IGA) solutions.
Curcio walked me through how identity management technologies evolved over the past two decades. He pointed out how they’ve gone through a series of consolidations, including one unfolding right now. I found this historical overview to be quite instructive. It shed light on how we got to this era of companies struggling to secure highly complex networks, housed on-premises and in overlapping public and private clouds, while at the same time striving to optimize the productivity of employees and – increasingly — third-party suppliers and contractors.
Fortunately, the identity management space has attracted and inspired some of the best and brightest tech security innovators and entrepreneurs. And the encouraging news is that the best of them have, once again, begun to seek out alliances in an effort to elevate baseline protections. Here are takeaways from our fascinating discussion:
Access pain points
As this century began, and companies began assembling the early iterations of modern business networks, there was a big need for employees to log into company email systems and business applications. So along came a group of startups supplying “single sign-on” capability – a way for a user to access multiple applications with one set of credentials.
A separate set of startups soon cropped up specifically to handle the provisioning of log on accounts that gave access to multiple systems, and also the de-provisioning of those accounts when a user left the company. It wasn’t too long before the single sign-on suppliers and the provisioning vendors began to merge; most of the leaders were acquired by tech giants like Oracle, IBM, Cisco, CA Enterprises and Sun Microsystems.
Not long afterwards, in about the 2010 time frame, IAM vendors first arrived on the scene, including Optimal IdM, Centrify, Okta and CyberArk, followed by many others. These vendors all spun out of the emergence of a new set of protocols, referred to as federated standards, designed to manage and map user identities across multiple systems. The IAM vendors took single sign-on to the next level, adding multi-factor authentication and other functionalities.
“Our customers all have the pain point of wanting to have single sign-on for multiple applications, requiring capabilities like self-service and self-registration,” Curcio told Last Watchdog. “They also require either adaptive authentication, or multi-factor authentication in many scenarios.”
Next, along came the IGA startups like Omada, SailPoint and Saviynt, to essentially to pick up where the first generation of provisioning and de-provisioning technologies left off. These vendors drilled down on “governance and attestation,” coming up with advanced ways to enable companies to monitor and report cyber risk profiles to government and industry auditors.
Governance and attestation quickly became a very big deal. This was because, as the complexity of business networks continued to intensify, so did the challenges of meeting data handling requirements under the Payment Card Industry Data Security Standard, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, and the Federal Information Security Management Act.
Added pressure came from having to also meet stringent new data security rules that took shape in the form of Europe’s General Data Protection Regulation, New York state’s Cybersecurity Requirements for Financial Services Companies and California’s Consumer Privacy Act.
“Compliance became a huge driver for governance and attestation,” Curcio said. “It has become vital to ensure you have proper controls on your systems. You want to try to make access as easy as you can for users, but you also don’t want to give them any more access than they should have.”
Big breaches continue
Yet even as IAM and IGA technologies steadily advanced, enterprises continued to struggle mightily with keeping data secure. Efforts to balance security and productivity sometimes backfired.
For instance, when several folks needed access to privileged accounts, it became common practice to write down usernames and passwords on slips of paper and pass them around. The accelerated use of third-party software development and cloud services only exacerbated this core dilemma.
A threat actor needed only to obtain, or spoof, the log-on credentials of a legitimate employee to get a foothold inside a corporate network, thus subverting millions of dollars worth of perimeter defenses. What’s more, malicious hackers progressed to gaining access via manipulating the log-ons related to millions of sensors, servers and third-party software associated with rising corporate use of cloud services and IoT systems. This is, in essence, how Uber got hacked last year.
Indeed, unauthorized access to confidential data continues to be root cause for just about any headline-grabbing data breach you care to name. Over the years, massive data losses have been reported by Equifax, Yahoo, Google, Target, Anthem, Premera Blue Cross, Sony Pictures, Sony PlayStation, Home Depot, Deloitte, JP Morgan Chase, CitiBank, the NSA and the U.S. Office of Personnel Management, just to name a few. And the massive data breaches just keep on coming. Late last year, Starwood Properties, parent of the Marriott hotel chain, disclosed the loss of personal data for 500 million patrons.
In response, the tech behemoths playing in this space, led by Oracle, IBM, Cisco and CA Technologies, continue to steadily improve their IAM and IGA offerings. Meanwhile, an encouraging consolidation trend is gaining traction among specialized IAM and IGA suppliers. These best-of-breed vendors are joining forces to market and deliver service suites assembled to make a whole that is greater than the sum of its parts.
The recently announced Optimal IdM-Omada partnership is a case in point. “Omada is exactly what we were looking for in an IGA partner,” Curcio said. “Both companies are very customer-centric: Optimal IdM provides a fully managed service offering and Omada consistently gets high praise for their customer satisfaction results for their product. Our combined effort not only provides all the capabilities needed in an entire identity solution, but also some of the happiest and most successful customers.”
Veronika Westerlund, Omada’s Global VP of Channels & Alliances contends the partnership will help enterprises solve a multitude of problems in a uniquely effective way. “Combining the Omada Identity Suite with Optimal IdM’s award-winning OptimalCloud and Virtual Identity Server (VIS) provides a secure, policy-driven SSO solution that incorporates Federation Services, and a single manageable console for initial authentication security policies,” she said. “It is truly a key differentiator in our industry and we are excited about using our partnership with Optimal IdM to help customers build their future IGA deployments with our best practice IdentityPROCESS+ framework.”
Both companies appeared in the latest Gartner Magic Quadrant for IAM and IGA, and based on the long, successful track records of these two vendors, I’d say they’re likely to succeed. This partnership, and others like them to follow in this space, will help make business networks incrementally more secure. It’s one more step in the right direction. It’s one more step in the right direction of advancing data protection technology and making digital commerce as private and secure as it needs to be.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(Editor’s note: LW provides editorial consulting services to some of the vendors included in our coverage.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-identity-access-and-governance-converge-to-meet-complex-data-protection-challenges/