SailPoint: Identity’s role in data security and compliance
Article by SailPoint CEO and co-founder Mark McClain
In the wake of GDPR, there’s been increased global interest in regulations that address how sensitive identity information is managed and protected.
Government agencies, especially, have been under the pump, going through reviews and implementing security strategies.
Enterprises have faced similar scrutiny for quite some time as they seek to comply with new regulations and protect their own sensitive data, along with who has access to it and what they’re doing with that access.
This is all the more critical given the target that hackers continue to place on users and their access to important systems and data.
One compromised user account grants a hacker immediate access to the business.
So, there are two issues that enterprises now face – the regulatory environment, and the fact that the way enterprises used to protect themselves is clearly no longer enough.
This is the case because the network perimeter has dissipated, with employees no longer working within the four walls of corporate buildings, applications moving to the cloud and data being stored outside of corporate firewalls.
Therefore, simply putting a perimeter around the network cannot effectively protect all of an enterprise’s users and their access to business applications and data.
Further complicating things, data has exploded within organisations today, and it’s on the move.
The vast majority of this data has gone from being secured and stored in structured applications within data centres to applications in the cloud, where it is largely unprotected.
For example, when an accountant exports financial documents from an internal application and then uploads those files to Dropbox (or another file sharing application) to access while travelling for work, all of a sudden, this sensitive data is living outside of the traditional network perimeter, which exposes it to a would-be hacker.
As compliance regulations continue to grow more commonplace and both the IT and threat landscapes evolve, organisations must also evolve their methods of data protection to keep pace.
Knowing this, how can organisations govern and secure their sensitive data from exposure?
Rather than reinventing the wheel, organisations need only extend their existing identity governance strategies to include how they govern access to data stored in files.
Doing so will provide much-needed visibility into where sensitive data resides, who is accessing it and what they’re doing with that access.
As a result, organisations will not only be able to better secure their sensitive data but also reduce their exposure and thus, improve their security posture overall.
Today’s IT environment is growing more and more complex, particularly as organisations embrace digital transformation.
Now, enterprises have more users, applications and data than ever before, and each part is interconnected.
There are employees, contractors, partners, and now even software bots, accessing cloud and on-premises applications and massive amounts of data.
Each of these new frontiers – users, applications and data – must be addressed with a comprehensive identity governance strategy to truly secure the enterprise and stay in compliance with global regulations.
Ultimately, this will put organisations in a better position to protect sensitive data and comply with regulations and government reviews.
Rather than feeling defeated, organisations should view compliance mandates as an opportunity for them to improve their security stance, provide better service to customers, and strengthen relationships with business partners.
Since broader reviews and new regulations are likely to continue unabated in today’s digital world, organisations need to get ahead of the game when it comes to protecting sensitive data with identity governance.