Traditional identity solutions focus on access to applications, but that misses as much as 80 percent of corporate data.
We’ve entered the age of access governance. Organizations need to know who has access to what data and how they were granted that access. Identity and Access Governance (IAG) solutions address these issues while managing enterprise access. They provide visibility into access, policy and role management, and risk assessment—and they facilitate periodic entitlement reviews of access across numerous systems. Most enterprise IAG solutions are missing a key piece to the puzzle, though: unstructured data.
Over the past five years, research has concluded that nearly 80 percent of enterprise content is unstructured. That means data doesn’t exist in a managed format where access is granted via a formal application or process. While that percentage is holding steady, the actual amount of unstructured data is growing consistently. Many organizations estimate an annual data growth rate of 30 percent to 40 percent across their file systems.
So why do the systems designed to manage risk and control access across the enterprise ignore 80 percent of the data? The answer is partly historic, partly technological and partly business-related. IAG solutions grew out of Identity and Access Management (IAM) solutions. Many of the top IAM vendors have introduced IAG solutions to supplement their offerings. The two leading independent IAG vendors were both founded by veterans of the IAM space. This is significant because IAM solutions have traditionally focused on access to applications instead of data. Those providers simply transitioned that architectural design into their current IAG solutions.
In their earliest iterations, IAM provisioning systems simply synchronized user accounts from one data store to another. They grew to enable password management, single sign-on, advanced access management workflows and other access-management functions. The primary focus, however, has always been managing user accounts and user access to applications.
At a basic level, today’s IAG solutions report on which accounts exist for each application or which users have the ability to authenticate to that application. At a deeper level, they might also answer what those accounts are authorized to do within certain applications. They answer these questions by reaching into the applications’ entitlement stores and gathering information about user accounts and related permissions. However, by definition, unstructured data doesn’t fit into that model.
IAG vendors may have realized that incorporating unstructured data would be critical to a comprehensive enterprise access strategy, but the core technology they use is designed to connect with various entitlement stores to retrieve relevant access information. In the world of unstructured data, there are no centralized entitlement stores. Entitlements are attached to the resources themselves and are therefore spread across the IT landscape.
Large enterprises often have tens of thousands of servers with millions of folders translating into literally billions of individual permissions. Because most access is granted via groups, you must evaluate each entitlement by enumerating through each group and parsing the members along with any of those nested groups.
For Fortune 500 organizations, the individual mappings of users to groups might number in the tens of millions. Evaluating this complex hierarchy of permissions is a complicated technical effort that leverages a totally different technical paradigm than that of most enterprise applications.
Most organizations would likely posit that their most critical information is managed within business-critical applications. Their human resources, enterprise resource planning, financial, supply chain, business line and other critical applications hold 20 percent of the most sensitive corporate data. IAM and IAG solutions that focus on those applications enable insight into the most essential of corporate information. The rules have changed, though.
The top 20 percent of organizational information simply isn’t enough. Although a large portion—perhaps even the majority—of the other 80 percent of enterprise data may not be classified as high-risk or sensitive, it’s indeed an example of the needle-in-a-haystack scenario. There’s little doubt that somewhere across that huge amount of data is information that ought to be protected. Auditors and security officers are well within their rights to expect controls around and visibility into that unstructured data environment.
Even in heavily regulated environments such as finance and health care, business professionals regularly utilize unstructured data repositories such as distributed file systems and collaboration suites like Microsoft SharePoint to store, share and collaborate on sensitive data.
The lack of uniformity and control across these platforms represents significant risk, cost and effort during an audit. You need to address this problem and prepare your organization for a security review or compliance audit. Here are a few steps you can take to augment your IAG program in preparation to meet ongoing compliance requirements:
The preceding steps might not yield any magical results. There’s no flash or glamour. Business executives might not even notice that you’ve done anything. There’s tremendous inherent value, however, in performing these tasks.
The next time an auditor asks who has access to a resource, you can show them the intended security model, produce a report on the actual permissions, show how they’re applied and provide the name of the person responsible for reviewing that access. When you can give those answers without breaking a sweat, you prove that you’re in control. And that’s ultimately the intent of security audits: to prove control and visibility.
Also, once you’ve completed these steps, you can seamlessly incorporate the effective permissions mechanisms by which rights are granted—and the related analysis such as data classification and risk scoring—into your traditional IAG solutions. They can be organized and normalized within a centralized entitlement store that fits the IAG discovery model.
In an age where regulatory requirements seem to consistently grow in number and complexity, you can no longer ignore unstructured data platforms. It’s not enough to attempt to make sense of permissions one resource at a time. It’s time to do some spring-cleaning on a global scale. Cut down on the overall complexity and enable a model through which you can effectively manage and report on access to all data resources.