Identity data and regulatory compliance

Wade Ellery at Radiant Logic explains why identity data is a secret treasure chest for complying with regulations

 

Since the introduction of the General Data Protection Regulation (GDPR), keeping personal information protected and secured has never been more important. Businesses are now expected to keep personal data safe, and failure to do so can incur costly penalties with fines potentially reaching up to £17.5 million or 4% of annual global turnover (depending on which is greater).

 

Governing data and ensuring compliance with regulations is essential, however, it can be a challenge. Over the last couple of decades, there has been an explosion in the number of digital identities stored by organisations, often scattered in multiple systems, which means controlling and managing identity data has become much harder, and ultimately opens up the risk of breaking regulatory laws.

 

Data privacy laws such as GDPR are the trend, not the exception, with more and more countries introducing newer and much tougher regulations. Therefore, understanding how organisations can fix their identity sprawl problem — and more importantly, gain complete control over identity data for the long-term — is crucial.

 

Identity data: a recurring nightmare

Identity is the beating heart of a modern organisation, from governing how employees and systems can access hardware and software assets to helping provide the best user experience for customers.

 

Naturally, as organisations grow their IT environments and develop new programs their identity sprawl grows in concert. Since the pandemic, the focus has largely been on two major IT projects – digital transformation and migration to cloud – both of which have exacerbated the identity management problem and brought it to the forefront of organisations’ attention.

 

The expansion into multiple cloud providers and applications means that IT environments are left with a disjointed collection of unconnected systems. Each new cloud instance or application comes with its own set of siloed digital identities, resulting in each employee connecting to an ever-increasing number of accounts.  

 

As a result, IT teams lose track of these identities, making it virtually impossible for them to build accurate and complete user profiles. When insight into users and identity data is lost, it only leads to a large number of redundant, overprovisioned accounts – widening the attack surface of organisations and opening gaps for threat actors to exploit.

 

Ultimately, without visibility into identity sources, IT teams lack control and management over identity data. Without accurate user profiles, IT teams and systems are unable to figure out which users should be accessing what in order to fulfil their job and what accounts might need to be scaled back.

 

This can create highly privileged accounts that have built up years, or decades-worth, of access – which become essentially sitting ducks for cyber criminals. The lack of visibility can also lead to inadvertent leakage of personal or regulated identity data.

 

Failure to manage identity data can result in two massive blows for companies. They’re now more vulnerable to cyber criminals, and at risk from receiving an enormous fine from regulators.

 

Regulatory consequences of not managing identity data

Managing identity data is essential not only to prevent sensitive information being stolen but also to avoid stiff financial penalties. By looking at some of the causes underlying recent fines that have been handed out by UK and EU GDPR, it comes back to the issue of identity data management and governance.

 

Bocconi University was fined €200,000 after the Italian Data Protection Authority discovered the same student information had been placed into multiple, fragmented documents - violating the GDPR principles of fairness, transparency, and lawfulness when it comes to data processing.

 

Sprawling and disconnected identity data means that IT teams don’t reliably know where identity data is being stored and if they are making duplicates. For example, how do you know that John Smith in the sales database is the same JSmith in marketing? The greater the uncertainty the larger the risk of a breach or a regulatory finding leading to fines.

 

Identity data is also the cornerstone of most modern security projects and initiatives such as Zero Trust. The model works on the principle of least privilege and users building access as they need it once they are authorised. However, in order to make such informed policy decisions, decision engines need accurate and up-to-date user profiles.

 

With identity data scattered across multiple, disconnected sources, such decisions cannot be made accurately. This means that IT teams cannot be fully confident that the access being granted to a user is not a threat. One of the most notorious GDPR fines was incurred by British Airways, which was fined £20m for failing to limit access to applications, data and tools. Once again, it comes back to the issue of not knowing who has access to what and reliably being able to prove it.

 

As mentioned above, the focus on cybersecurity and data privacy have never been higher, and with that comes more regulations. Organisations must have strong identity management principles which can ensure compliance with current regulations and as they update and change in the future.

 

How to manage and govern identity data

Gaining control over identity data starts with visibility across the IT environment. This ensures that organisations gain global insight into every user, every application, every account and every resource, which secures the network and drives compliance.

 

Businesses need to streamline and unify identity data into a common identity data fabric. This allows IT teams to access complete user profiles in which identity data is continuously updated in real-time. With this information organisations can then start making smart decisions around authentication, authorisation and personalisation.

 

IT teams also have complete visibility across all identity data stores, making it easier to spot anomalies and providing new insight to support security projects such as Zero Trust. Organisations can then start to close the major security gaps created by IT debt and identity sprawl.

 

By having one global user profile aggregated across all the disparate sources of identity, IT teams can also start to automate tasks and processes. Provisioning and de-provisioning can be done from the one resource which is fed by all the identity data sources, instead of IT teams having to do each task manually system by system.

 

This means that accounts are then set with the correct privileges, or more importantly, removed from the system altogether. The risk of an orphaned account or data leakage causing a security breach or an enormous GDPR fine is significantly reduced.

 

Ultimately, identity data is at the heart of every business, and it can be seen by organisations as an enabler for security or its weakest link. By properly managing and governing identity data, businesses can use it as a tool to improve security posture and minimise risk.

 

---

 

Wade Ellery is Field Chief Technology Officer at Radiant Logic

 

Main image courtesy of iStockPhoto.com