Story image

SailPoint: Identity’s role in data security and compliance

28 Feb 2019

Article by SailPoint CEO and co-founder Mark McClain

In the wake of GDPR, there’s been increased global interest in regulations that address how sensitive identity information is managed and protected.

Government agencies, especially, have been under the pump, going through reviews and implementing security strategies.

Enterprises have faced similar scrutiny for quite some time as they seek to comply with new regulations and protect their own sensitive data, along with who has access to it and what they’re doing with that access.

This is all the more critical given the target that hackers continue to place on users and their access to important systems and data.

One compromised user account grants a hacker immediate access to the business.

So, there are two issues that enterprises now face – the regulatory environment, and the fact that the way enterprises used to protect themselves is clearly no longer enough.

This is the case because the network perimeter has dissipated, with employees no longer working within the four walls of corporate buildings, applications moving to the cloud and data being stored outside of corporate firewalls.

Therefore, simply putting a perimeter around the network cannot effectively protect all of an enterprise’s users and their access to business applications and data.

Further complicating things, data has exploded within organisations today, and it’s on the move.

The vast majority of this data has gone from being secured and stored in structured applications within data centres to applications in the cloud, where it is largely unprotected.

For example, when an accountant exports financial documents from an internal application and then uploads those files to Dropbox (or another file sharing application) to access while travelling for work, all of a sudden, this sensitive data is living outside of the traditional network perimeter, which exposes it to a would-be hacker.

As compliance regulations continue to grow more commonplace and both the IT and threat landscapes evolve, organisations must also evolve their methods of data protection to keep pace.

Knowing this, how can organisations govern and secure their sensitive data from exposure?

Rather than reinventing the wheel, organisations need only extend their existing identity governance strategies to include how they govern access to data stored in files.

Doing so will provide much-needed visibility into where sensitive data resides, who is accessing it and what they’re doing with that access.

As a result, organisations will not only be able to better secure their sensitive data but also reduce their exposure and thus, improve their security posture overall.

Today’s IT environment is growing more and more complex, particularly as organisations embrace digital transformation.

Now, enterprises have more users, applications and data than ever before, and each part is interconnected.

There are employees, contractors, partners, and now even software bots, accessing cloud and on-premises applications and massive amounts of data.

Each of these new frontiers – users, applications and data – must be addressed with a comprehensive identity governance strategy to truly secure the enterprise and stay in compliance with global regulations.

Ultimately, this will put organisations in a better position to protect sensitive data and comply with regulations and government reviews.

Rather than feeling defeated, organisations should view compliance mandates as an opportunity for them to improve their security stance, provide better service to customers, and strengthen relationships with business partners.

Since broader reviews and new regulations are likely to continue unabated in today’s digital world, organisations need to get ahead of the game when it comes to protecting sensitive data with identity governance.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.
WikiLeaks' Julian Assange arrested in London
There’s little doubt that it’s a day of reckoning for WikiLeaks cofounder Julian Assange today, after his seven-year long protection inside London’s Ecquador Embassy came to an abrupt end.