It’s 10am on a sunny spring morning and Manhattan is buzzing with crowded sidewalks and yellow cabs flying by at light speed. Fresh from LaGuardia and having enjoyed the brisk morning walk, I open the giant glass door and enter a mega-lobby of fine marble; I've arrived. A quick sign-in process, a bag scan, and rocket elevator ride, and I am seated in a conference room, greeted by some very concerned looking security folks. "We have a big problem!" says one of them. "The CIO discovered an open file share while browsing the network. He poked around and found a ton of mortgage documents full of sensitive information. Not good! We need to get this fixed."
During my time as founder and CTO at STEALTHbits Technologies, this was just one example of many shocked customers that sought our help to solve a data security crisis. "We have no idea how many more of these shares are out there." Organizations would discover unprotected data that put them at risk and then issue an emergency mandate to find and clean house; they wanted to make it secure - yesterday!
The question is, how did it get this way? It’s not as though the organization didn’t care about security and then suddenly did.
In my experience, one of the leading causes of this was procrastination. Not intentional human procrastination but process procrastination. In every organization, there are key trigger events where analysis and remediation processes should kick in. Examples might be role changes, departmental leadership changes, project lifecycle events, and terminations. Responding to these events will allow an organization to avoid the backlog of issues that ultimately lead to major data liabilities, and a very unhappy CIO.
The simple answer: usually because the problem outpaced the tools to solve the problem - and so not knowing, led to not doing. To solve this problem the organization would have to put in place processes for key organizational events. Designing the process would have been a first step, but it would likely have never left paper. Manual fulfillment would not have been conceivable. The only way to successfully pull this off is with automation. But most automation tools are such an undertaking that they fall into another bucket of corporate strategy; the catch-all automation initiative. And that's usually focused on business process automation rather than information technology automation.
This is where identity automation comes in. Identity automation is a special type of automation that is designed for the needs of IT teams. It's about responding to the many events that occur during the lifecycle of an employee, project or department. As a central hub that receives incoming events from an organization's HRMS, IGA and ITSM (and any other system for that matter), the identity automation platform provides the organization with the ability to respond using lightweight, IT-centric automation. In many cases, that might involve an attestation workflow, maybe a notification, and in some cases, a data permissions change. But whatever the case, with a well-designed identity automation technology, it goes from process design to implementation in days.
While these two disciplines are typically addressed with very different solutions, they are fundamentally two side of the same coin. Identities create data, the data is stored, and when an identity changes, that's the time to examine the data and determine what to do with it. Today, in most organizations, this is an un-processed event; a missed opportunity. The event exists, and often an IGA solution will perform some basic operations, but real identity automation does not occur. And herein is the procrastination. By leaving this event unprocessed, we end up with the need for data cleanup and in some cases, a crisis when unprotected sensitive data is discovered. Using identity automation, an organization can maintain a clean house, responding to every identity event with suitable processes that ensures sensitive data is re-provisioned and secured in real-time, avoiding the aftershock that inevitably comes later. A relatively simple and low-cost investment can streamline identity operations and prevent downstream emergency data access governance projects. DAG becomes an audit, rather than a fix.
Read more about the Readibots Platform and how it call help you avoid security procrastination.