Identity has grown to be a matter of utter importance. Because of these different factors, identity governance is also even more important. Let’s look at how it can be used to better control access to data and information and how this ultimately helps organizations ensure their users are really who they say they are.
Personal data dumps
Our data is being collected everywhere these days — and not every company is as scrupulous about protecting it as others. Alongside this development, companies are creating extremely valuable caches of personal data that are of great interest to cybercriminals. In fact, they are gold mines.
In one of the latest cyber incidents, T-Mobile announced that the names, Social Security numbers, information from driver’s licenses and other sensitive information belonging to more than 40 million former and prospective customers were exposed in a data breach. Much of this data was also exposed for 7.8 million current customers.
These are massive amounts of information that companies are collecting and that they need to be good stewards of — but unfortunately, this isn’t always happening. And what about when a company or entity that collects such information shuts down, such as a mobile COVID-19 testing site? Where does that information go?
Understanding the implications
Individuals are starting to have more concerns over such data collection, and the demand for privacy is likely to continue to grow. At the same time, most governments are trying to balance regulation with providing a competitive environment for businesses — and finding those historic data dumps (like the ones mentioned above) is particularly difficult. They can easily fly under the radar without any regulators even being aware that these data dumps exist. Policy enforcement further complicates this situation.
For example, three years after GDPR was passed, many organizations are still struggling. The GDPR’s enforcement agency issued more than $200 million in fines in 2020, but that was just the warm-up. As of August 2021, fines totaled more than $1 billion.
Individuals don’t always have much choice in the matter; they can give their information to companies and entities or be denied service. In some cases, they aren’t even fully aware that their information is being collected. But at some point, we’re all going to have to start taking more responsibility for our own personal identifiable information (PII) because it’s clear that companies aren’t all going to do their part.
Identity governance for an identity-first strategy
The relevance of “identity-first security” is increasing year by year. In fact, Gartner listed identity-first security as one of its Top Security and Risk Management Trends for 2021. In a world that is aware of the importance of personal data, security will be enforced by several factors. Decentralized identity, access control and implementing the need-to-know principle and strong access governance that allows forensics after a breach are essential factors in reducing a company’s attack surface.
Today, identity governance and administration (IGA) solutions provide a great amount of typical functionality out of the box, making it easy to implement best practices. Also, the trend of IGA as a Service removes administrative overhead and simplifies business continuity planning and other important topics like scalability. Both factors are making modern IGA solutions attractive for a larger than ever group of organizations.
Enterprises that thoroughly apply identity-centric security solutions demonstrate that they care for the data they control. They are raising the bar for data leakage and misuse, which is key for authenticity in a fully digitalized world.
Identity governance as a competitive advantage
Organizations have a real problem today with data breaches and the lack of protection of sensitive information. There are a lot of established companies that are just now starting to understand the implications of having a digital presence and what their responsibility is for the personal information they collect from employees, customers and other sources.
The silver lining in this situation for many organizations is that taking an identity-centric approach to how they store and collect information can actually be a differentiator. It shows their customers that they can be good stewards of that information. That builds trust and frees customers from the nagging worry about being part of the next data dump.
IGA and the fight for data security
Modern technologies and dumps of personal data make it increasingly difficult to tell whether a person is who they say they are. Yet, online identity is critical in today’s digitized world — both for consumers to conduct their affairs and for companies to trust those with whom they do business. Companies have a legal obligation to safeguard all the data they obtain. Identity governance has never been more important. Implementing the concept of identity-first security with effective IGA will help organizations not only secure that data, but demonstrate an important market differentiator as well.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.