Identity governance is still surrounded by a lot of myths, some of which are very persistent. Those myths can also be dangerous, in the sense that they might lead to wrong decisions, which could bring serious business risks…
- Myth 1: Provisioning is the key to solve all your identity governance challenges
- Myth 2: Identity governance is hardly relevant for small and medium sized companies
- Myth 3: You should only worry about identity governance because of regulatory compliance
- Myth 4: Our staff can be trusted and doesn’t need identity governance
- Myth 5: Identity governance is the same thing as business analytics
- Myth 6: Identity governance is an IT concern
- Myth 7: I have spreadsheets, so I don’t need identity governance tools
Myth 1: Provisioning is the key to solve all your identity governance challenges
This is definitely a wrong assumption. In fact, institutes like Gartner claim that it is wise to take care of identity governance before provisioning. There are several reasons for this. The first is that, when your administrative data is not 100% accurate and/or up-to-date, provisioning will inevitably lead to wrong decisions. For instance, certain staff members will be granted more access rights than they actually need, which is a risky situation.
Then there’s the legacy factor. Even if your current provisioning approach is (close to) perfect, there might still be threats lurking under the surface originating from a period where provisioning was less developed in your company then it is today. Similar threats might occur when your company takes over another company or when entities of your company are merged.
Provisioning suites often have integrated solutions for identity governance, but most of them lack the necessary sophistication and nuance that are needed to do this properly. Besides, they’re often too complicated and overly technical for business users. Furthermore, implementing provisioning, and especially automated provisioning, demands for a long lead time. In general, this will take between 12 months and three years.
Myth 2: Identity governance is hardly relevant for small and medium sized companies
If you take control over identity governance while the company is still small and easy to survey, you prevent chaos from emerging when the company grows. It’s important to keep in mind that growth is often unpredictable, turbulent and sudden. When in times of growth, there just might be not enough time available to set-up a proper identity governance program.
Furthermore, smaller companies have the advantage that installing an identity governance program only requires a modest investment and isn’t too time-consuming either.
Apart from that, data protection regulations that are imposed by the government are equally applicable to smaller companies. Depending on the violation and the country your company is based in, this could lead to significant fines. Identity governance, a crucial element in your data protection strategy, helps you to prevent this.
Finally, identity governance significantly lowers the risk of a data breach. Data breaches have unpleasant consequences for every company that falls victim to it, but studies show that the costs are often relatively a lot higher for smaller companies.
Myth 3: You should only worry about identity governance because of regulatory compliance
Not true. Data nowadays is much more important than before and has become a lot more valuable, too. As the rightful owners of this data are mainly individual citizens, governments have developed a number of regulations to help them protect their (personal) data. But whether your organization is subject to regulatory compliance or not, those regulations should also be considered as a business opportunity. This is because (potential) customers find it increasingly important that their data is in safe hands. In fact, when potential customers are confident that a company is keeping their data safe, it is much more likely that they will become and remain customers of that company. And in order to enable the safe use of data, you need identity governance.
Another increasingly important reason why you need identity governance is that it helps to protect you against data breaches. Recent research shows that the odds for organizations to become the victim of a data breach reaches up to 29,6%, while the average cost this causes is no less than $ 3,92 million.
Myth 4: Our staff can be trusted and doesn’t need identity governance
First of all, ‘trust’ has different meanings. Maybe you can indeed trust your staff in the sense that they would not voluntarily cause a data breach. Still, many data breaches are caused by employees, be it often unintentional.
This could happen, for example, when a member of your staff unsuspectingly passes on a password to someone who pretends to be a colleague who works at another location of the company, but who is actually a hacker.
Or let’s take a look at what happened to Sony a few years ago. Several Sony top executives received Apple ID verification mails. The mails redirected the Sony people to a phishing website where they had to enter their Apple ID and password. The hackers assumed (rightfully, unfortunately) that some of the Sony executives might use the same username and password for other accounts as well. This way, the hackers could access Sony’s network and steal 100 terabytes of data. So even if your company is blessed with the most loyal employees, you still need identity governance.
Myth 5: Identity governance is the same thing as business analytics
It’s true that business analytics software like Power BI can theoretically be used to take care of identity governance. However, this doesn’t really work in practice. This is because identity governance needs a very specific approach which differs significantly from the methods that are used in business analytics.
Identity governance requires a holistic view on who has access to which applications and for which reasons. Business analytics software doesn’t have the right tools and interfaces to show you these relations in a clear fashion.
Myth 6: Identity governance is an IT concern
That’s right, at least in the sense that IT is one of the departments within an organization that has to deal with identity governance. However, it is vital that everybody in the company is well aware of the importance of data and the associated risks and opportunities. Identity governance, which is a crucial element when it comes to the protection of data, is just too important to leave into the hands of a single department.
The company policy about identity governance and the way it needs to be implemented throughout the company needs to be defined by the management, while the execution will mostly be taken care of by HR and IT, as well as application owners and line managers.
Myth 7: I have spreadsheets, so I don’t need identity governance tools
From all of the myths we explained here, this one might be the most persistent of them all. However, there are two main reasons why professionals strongly discourage the use of spreadsheets for identity governance purposes. First, using spreadsheets to this end is error-prone.
That is because you might have to combine two or more different spreadsheets, which often takes quite some time. By the time the procedure is finished, the data may no longer be up to date. Another problem is that the spreadsheet approach doesn’t bring you out-of-the-box visualisations. Sure, you can make all kinds of graphs, but the point is that spreadsheets do not bring you any insights about which data you should visualise because it needs your attention. What you do get from spreadsheets are lots and lots of lines filled with data. Because of this, there is a good chance that you will overlook important issues.
The second reason why professionals avoid using spreadsheets for identity governance is that it takes a considerable amount of computer power. One would think that processing a few spreadsheets is a piece of cake for a computer, but reality proves differently. It is not uncommon that a computer – keep in mind that Excel doesn’t run on a server – needs several hours and even days to get the job done. This is why operations like this are often planned during the weekends. However, even the smallest hick-up could ‘freeze’ the entire procedure. If this occurs, you have to start all over again…