An increasing number of organizations are adopting a mix of cloud-based and on-premises applications – a move which has been accelerated by the need for employees to work remotely. The ever-prescient Gartner saw this shift coming pre-pandemic and predicted that in 2021, more than 75% of midsize and large organizations would have adopted some kind of multi-cloud or hybrid IT strategy. The hybrid approach delivers advantages such as agility and cost savings, but it comes with disadvantages, too.
One of the disadvantages is reduced visibility into who has access to which IT systems and applications within the organization and why. As organizations continuously move workloads to digital services, they will need a more solid approach to identity management. Identity Governance and Administration (IGA) has become a cornerstone of solid IT security, allowing organizations to implement processes for controlling, managing and auditing access to data, which is an important prerequisite to reducing the security risk.
In light of Identity Management Day, let’s take a look at how the hybrid workforce requires a new approach to identity governance and what this means for organizations across sectors.
Hybrid IT gains ground
As the cloud continues to demonstrate its utility, migration grows. Overall, IT spending continues to shift to public cloud computing. Gartner analysts believe that more than 45% of IT spending on system infrastructure, infrastructure software, application software and business process outsourcing will shift from traditional solutions to cloud by 2024.
Cloud applications have not only enabled many organizations worldwide to remain in business and maintain productivity but provide additional benefits – like the cost savings of not having to house an on-premises data center. That said, not every business can or should shift entirely to the cloud. Enterprise Strategy Group (ESG) notes in a new report that “nearly all enterprises operate in a continually shifting, hybrid mix of on-premises and multi-cloud-based applications.” Some things have to remain on-premises and, as a result, hybrid IT is growing.
But hybrid IT environments still have to remain compliant with regulations and safeguard collaboration across the organization and with partners and customers. They must support the rapid adoption of new digital services while respecting security and compliance. The solutions need to protect the brand and IP while acting in a complex ecosystem and increasing efficiency. The organization must therefore manage the risk while maintaining business agility.
IGA is critical
Identity access management and identity governance (IGA) are key to ensuring security and staying compliant. Migrating to the cloud creates potential exposed openings for attackers and different vulnerabilities, so organizations must revise their risk and security management.
Therefore, they need to have a vision for secure cloud adoption and and make sure that appropriate governance can be enforced from the first day of operation. It is important to ensure that a well-functioning, future-proof architecture for identity management and access governance is implemented. This architecture will secure the organization long-term and ensure correct data flows across disparate systems and directories.
Before an organization enables users to access and use cloud services, it must know its identities and related accounts. Companies must make sure that federated identities from suppliers, partners or customers are governed in a proper manner. Ideally, this should happen before collaboration begins, and the correct processes must be established and implemented. Organizations should also establish “local” security mechanisms, such as access request and certification, and they must also establish policies for cloud services.
The power of IGA
IGA enables the IT department to manage and govern all user access rights across a hybrid IT environment. ESG found that 86% of respondents reported IGA as a top five security control priority for their organization. Among the elements IGA processes oversee are:
- Managing access to resources across an organization’s hybrid IT environments
- A structured approach to onboarding applications
- Onboarding of new employees and non-employees, such as contractors
- Performing access reviews and certifications across all cloud and on-premises applications
- Managing access to applications on a granular level in compliance with company policies, handling of access assignment policies and provisioning
- Audit and compliance reporting to ensure continuous risk overview
When organizations are able to process these elements effectively, they can then ensure compliance, save money, minimize the risk of data theft by insiders and hackers, and reduce the blast radius of an attack. A key factor in doing this well is ensuring that business systems are only accessible to those who need to use them to do their job – the “least privilege” approach. IGA is an integral component of business resilience.
Doing hybrid IT right
Hybrid IT will continue to grow apace with cloud adoption. Market forces have converged to make this standard operating procedure. But that means, for regulatory and security reasons, organizations must get control of who has access to which parts of their distributed business systems.
About the Author: Thomas Müller-Martin is Global Partner Technical Lead at Omada. He has spent more than 15 years in identity and access management. As the implementation of identity-centric cyber-security strategies become more and more relevant for enterprises around the globe, he helps Omada partners to make their Identity Governance and Administration journey a success.