Much like how I complain that I’m not losing weight - even though my treadmill has become a clothing rack- security only works if you use it. And, yes, I know I picked on the sales guys (and girls) in the title but, your security has to be easy enough to use and understand that anyone in the organization can use it, no matter their level of security training. I have heard multiple reports from our customers in healthcare that have implemented comprehensive and costly software to help keep their PHI data safe on all devices and across all networks. The problem? It takes too long for the doctors to get through it so they just skip it. It is an easy enough problem to understand, but not such an easy one to fix.
Top 2 Issues in IGA Security:
1. Certification Fatigue
When it comes to certifying access and entitlements in your organization, you will have several people tasked with this function even though security, or even IT, is not their day job. They are marketers, salespeople, finance managers, doctors, etc. Their priority for the day is not to make sure they have meticulously researched and verified all of their employees’ access, entitlements, and certifications. They have to get back to their normal jobs so instead of looking through lines and columns of information, they simply copy and paste “approved” into everyone’s sheet - a practice we call “rubber stamping”- and go back to their day job. Not only does this lead to inaccuracy in the data you have, but it can cause issues during your compliance audit leading to costly financial reprimands.
Replace the rows and columns of the typical organization’s spreadsheets with a patterns-based user experience. If we are able to see groups of like access in a graphic format instead of the hundreds of lines on a spreadsheet, we could more easily identify and approve or deny access in bulk and can deal with individual outliers by asking for more context around the request. If you make it easy for approvers to see what access is being requested, paired with context, and compared to their peers, it becomes much easier to make an accurate decision.
This increase in accuracy leads to better reporting and fewer fines, but it also typically increases timely participation in access reviews and higher user adoption.
2. Complicated User Experience
Over the years, increased demand for features and functions within a network means busy interfaces and multiple clicks to complete even the most basic of tasks. This goes back to the example I used earlier with doctors inside medical practices. If the user experience is too lengthy or too difficult to figure out, user frustration soars and user adoption plummets. However, with a patterns-based user experience like mentioned before, the interface is sleek and simple, making regular, basic tasks as easy to complete as one click. This also makes outliers, such as excess access privileges or hidden/nested entitlements stand out, so they can be identified and remediated quickly.
Not only does a patterns-based user experience simplify the complicated processes you had in place before, but it also reduces user frustration which leads to higher user adoption and an increase in your security. This can also cause reduced errors from making decisions without context and reduced calls to the help desk to figure out how to use the interface. (Once again, an increase in accuracy and adoption by making the interface easier to use.
So, Now What?
There are plenty of other examples that I could give you to drive home the need for more security but I’ll just use one that our product manager often uses, the suitcase at the airport. Every time I am at the airport I hear multiple times “if you see a suspicious bag without any owner, please report it.” Now, how many times did I have to see that until it finally hit home and stuck out in the mass chaos that is an airport? I don’t know. What I do know is that once someone pointed out to me that this could be a problem, it is now easier than before to spot airport security risks. Cyber-security is the same way.
If you are expecting your employees to be able to shuffle through multiple rows and columns of data, with no context and no relationship to each other, and find the inappropriate or unnecessary access- it’s not going to happen. However, if you are using a patterns-based user experience where managers can clearly see outliers, it makes it easier for your employees to pick out the security risks and report them or remediate them.