We are hearing much more about digital identities and how to manage them in healthcare. Have you thought about why some organizations could be headed towards unforeseen security risks?
Identity Governance & Administration (IGA) has always been part of the overarching Identity and Access Management category, but let’s first tackle why IGA is changing and why there are differing ways of looking at digital identities and addressing security concerns.
The healthcare industry is playing catch up to other industries that are looking at identity in a broader context. Historically, many healthcare organizations have focused on the access portion and ensuring that access is streamlined. Then, the focus shifted to securing the perimeter with two-factor/multi-factor authentication. Now, healthcare organizations are moving from a specific application or network access perspective and moving to a perspective that emphasizes what the digital identity has access to. Also, auditors think in terms of prevent and detect controls, and therefore security professionals are now leveraging that methodology as well.
The security risks associated with identities continue to increase, requiring more time and resources to manage the threats. In fact, stolen employee passwords and employee issues like inactive and excessive privileged accounts are responsible for roughly 90% of data breaches. These are often hidden security risks that an organization doesn’t see until the breach has happened.
However, the starting point for moving to this new way of managing identities varies by organization and should be developed around the unique requirements and objectives of the organization. The approach at a fortune 500 nation-wide bank is different than the approach for a local urgent care clinic as their businesses operate differently. It is also very important to recognize that IGA is not a destination or project, it is a journey or program with risks that are specific to you and your business.
A security professional at one organization said it this way, "Our goal is to make the security posture of my organization better than it was the day before."
In this post, I'll cover what to consider when planning an identity governance program.
Start by Assessing Organizational Readiness
Having worked with many customers, we’ve been able to gather feedback from organizations in all stages of implementing identity programs - from initial planning stages to partial or even full implementation of the program. This experience has shown that organizations are substantially more successful at deploying IGA programs when they consider a few high-level elements such as:
- Does your organization have a strategy for identity?
It’s helpful to have an idea of where you’re intending to go and what it will look like when you get there. Absent a cohesive vision and strategy, you may successfully deploy aspects of an IGA program, however, it’s likely to be less efficient and effective. A clear vision helps with the essential elements of your program including prioritization and cost.
Focus on: Future Goals > Guidance for Employees > Ownership and Accountability
- Is your culture supportive of your strategy?
In most organizations, an IGA program requires some level of cultural change. Aligning your culture with your strategy can impact the time required to deploy your IGA strategy and, more important to the ultimate success, the time required to realize value. It’s important to remember that IGA is NOT an IT initiative, it’s an organization-wide initiative.
Focus on: Cultural Defining Behaviors > Culture Complimenting Strategy
- Do you have the people to execute and maintain the strategy?
As technology advances, IGA is evolving into a specialized category. Sustainability is more achievable with the right resources providing adequate focus. While internal staffing may not be possible for many organizations, there are opportunities for cloud services (SaaS) and some managed services to facilitate your organization's strategy.
Focus on: Investing in the Right Team > Alignment with Culture
Identify Data Access Points
Can you answer who is accessing your data, where and how? Do you know where the source of truth is for auditing and compliance teams? Depending on where your organization currently is in your IGA journey, you may have different answers. However, all IGA programs require planning for a business transformation, so an understanding of where you are today is key.
IGA gets the right access to the right people in the right way, at the right time, and for the right reasons – thus enabling the right business outcomes. This applies to not only people but to data as well. IGA programs include non-employee identities (contractors, vendors who need credentials for connecting into servers, service accounts, student programs, etc.).
Ultimately, you will be planning for a sustainable program that provides answers to questions like those presented here and maintains controls that both prevent security issues from occurring, and detect them if they do occur.
Communicate the Business Benefits
Achieving buy-in for an IGA program often hinges on understanding the business benefits above and beyond just improving security. Many organizations don’t consider the range of expenses that are tied to their identity governance strategy until they find themselves suffering from a breach or cybersecurity attack. When implemented properly, IGA provides substantial savings on things like:
- Lost productivity
- Cyber insurance premiums
- Audit fees
- Bond ratings (based on financial audits)
- Litigation costs and penalties.
Hear what our VP of Sales and Business Development, Mike Knebel, has to say on this topic below.
Prepare for Risks
To avoid the hidden, unforeseen security risks, the best place to start is by understanding your organization and planning now. The good news is...
It doesn’t cost anything to think ahead and plan. Tailor your solution to your organization:
- You don’t have to build and implement a complete IGA strategy all at once. Start with the challenges that your organization is currently facing.
- The security landscape is changing continually, so work to create a stepped plan that will get you closer to your goals, in a way that makes the most sense for you.
- An IGA program will look different for each organization based on need, people, and culture.
- The risks will still be there, but you will be better prepared to navigate around them if you start planning now.
It’s important to remember that prevention begins with planning. It’s not if a breach or cybersecurity attack will happen, it’s when.
Assess your current identity governance strategy and whether it aligns with your vision. Remember that IGA is not an IT initiative, it’s organizational and brings a cultural change. Align your culture with your strategy and communicate the business benefits and cost savings that aren’t always considered until after a security event. At the end of each day, the goal should be to make your security posture better than it was yesterday.
CLICK HERE for a deeper dive into these topics...…