The Relative Importance of Identity

Recent global trends and events (we don’t need to go there – we all know what they are!) have been reshaping the agenda of the Chief Information Security Officer (CISO) in ways that we could not have imagined five years ago. 

My various roles over the past decade have bought me into plenty of contact with CISOs and their teams across a variety of organizational types and sizes and, from these interactions I feel like I have developed a pretty keen sense as to “what is important” to leaders in these positions. 

Two years ago (not coincidentally, mid-way though the global pandemic), I started to detect a change in CISO dialogue. IT security priorities had morphed from a focus on malware attacks and network security into themes such as operational effectiveness in hybrid operating models (driven by work-from-home), IT-enabled employee retention (in response to “the great resignation”) and improvement in ransomware resilience (as ransomware attacks scaled to take advantage of the potential for huge returns from enterprise targets). I also started to notice that a closer look on all these priorities revealed a technical requirement that is common to each, and rapidly becoming a board-level topic. Digital Identity Management.

In an increasingly digitized world, with employees working remotely and ever-more reliant to digital applications and platforms, the ability to both centrally manage and secure digital identities is becoming a pervasive topic for CISO’s everywhere. To take the topic to its logical conclusion, centralized digital identities soon will form a foundation of our digital society.  

In fact, it was this observation that led me to make a career jump from the world of more traditional security domain topics such as endpoint security, data loss prevention and malware detection to a career at One Identity and Digital Identity Management. 

As the CISO conversation turns to digital identity and the ability to better enable the business through that function, it becomes apparent that there are a both tactical and strategic requirements that deserve attention from every security organization. 

Tactically, great strides have been made in discrete areas of Digital Identity Management in recent years. Focus and demand for topics such as User Access Management (How do I get my users to their applications quickly and securely?), Privileged Access Management (How can I layer extra security around my most privileged user accounts?) and Identity Governance (How do I ensure that identity policy is aligned to my preferred risk postures?) have seen the maturity of technology and process in these domains increase and these can go a long way to help meet the demands of the CISOs new agenda. Indeed, we are seeing forward-thinking business experience great success in the deployment of solutions in these areas. 

For example, Qonto is a leading European business finance solution serving more than 220,000 clients in 4 countries (France, Germany, Italy, and Spain). As is true of many fast-growing companies, Qonto calls upon a combination of employees and contractors to support its business. Previously, when onboarding, both employees and contractors received multiple emails with passwords to relevant applications. Workers struggled to know who to turn to when they experienced app access issues. For many teams, onboarding quickly became an exponential nightmare as Qonto welcomed up to 20 people every two weeks and provided access to as many as 60 applications.  

Deployment of One Identity’s Access Management solution (a full case study can be found here) meant that employees and contractors joining the workforce saw their access permissions and rights set automatically, based on their role and/or groups. This reduced friction during onboarding, enabling workers to access needed apps without delay. At the same time, Qonto no longer needs to dedicate one engineer to spend a full day every two weeks provisioning app access for new joiners since the solutions handles this automatically.  With Access Management in place, Qonto doesn’t have to worry about identity security as it scales and yet knows new workers are empowered to work efficiently on day one. 

A major hotelier recently worked with One Identity to implement a solution to protect their most sensitive and privileged user accounts. You can read all about it here. 

When people check into a hotel, a complex web of digital processes facilitate reservations, payments, personalized room settings and other core services. Privileged IT users, such as system administrators manage these supporting systems around the clock to ensure they’re operating as they should. At the same time, these privileged IT users must comply with dynamic corporate requirements and regional regulations that govern the system and data access. Theft of these privileged credentials and the access that they allow the holder has long been a “holy grail” for cyber criminals.  

The hotelier’s agility was tested when the pandemic temporarily closed some of its hotels. Suddenly, many globally managed properties needed remote privileged access to systems. To ensure that all these privileged sessions were configured and managed in compliance with the unique requirements of each individual property, the organization leveraged a Privileged Access Management solution from One Identity. The Director of Infrastructure explains, “In a number of weeks, we went from managing zero remote privileged connections a day for some hotels to more than hundreds a day.” 

In another great example of improvement in Digital Identity Management tactics, Aflac, the largest provider of supplemental insurance in the United States have implemented One Identity’s Identity Governance & Administration (IGA) solution to support its massive business growth (and, in turn, huge influxes of new employees and contractors), ensure compliance with industry standards and achieve huge cost savings through automation of previously manually intensive tasks. More on this case-study can be found here. 

An important business driver at Aflac was consolidation. Their implementation of the One Identity solution helped to consolidate 6 Digital Identity Management solutions into just one. This raises an interesting and important point about “ways forward” for Digital Identity Management solutions. The tactical examples of maturing Digital Identity Management are encouraging. CISOs and their teams can already meet some of the demands that are emerging from new business priorities and show significant improvements in operational effectiveness, the enabling of hybrid operating models and digital risk reduction through the implementation of Access Management, Identity Governance and Privileged Access Management solutions.  

There is work left to do, however. I cannot help but notice that the technology domains now evidenced under the banner of Digital Identity Management are already fragmented. This is, to a certain extent, the natural order of things in technology. As new demands for IT evolve, we often see a deluge of disparate solutions emerge, fragmented marketplaces develop and, later, a consolidation of these markets and convergence of the solutions that have evolved within them. 

Digital Identity Management is already fragmented across Access Management, Identity Governance and Privileged Access Management solutions. To build a comprehensive suite of Digital Identity Management solutions, you would need to add Active Directory Management, Correlation, Advanced Analytics, Visualization and other technology enablers to this list. Today, each of these categories are represented by a myriad of software vendors.  

CISOs should be looking for partners here who are bringing these categories together, creating tight integrations between them and delivering more than the sum of their parts to reduce the administration costs and risks associated with discrete Identity Management solutions.