The Rise of Self-Driving Identity Governance


Security and risk professionals agree that we are living in exciting and challenging times. Digital transformation is no longer a distant dream. Organizations are moving at a breakneck pace to replace manual processes, increase automation, and harness vast amounts of data in order to improve efficiencies. Each technology that enables digital transformation requires a clear identification of which users need access to it, what resources they need, and how access can be controlled to prevent unauthorized usage. At the same time, cloud applications and services are being adopted aggressively: 94% of businesses already use some type of cloud services. The proliferation of applications isn’t limited to the cloud. The move to DevOps and the use of agile methodologies also contribute, and each new application can have its own role structure and permissions. All of this needs to be managed and overseen – and the burden falls on the shoulders of security and risk teams. 

In spite of these demands, there is good news. When it comes to identity governance, the future is here. Hyper-automation and self-driving governance are likely to make as dramatic an impact as agile development. The result? Faster regulatory compliance, lower costs, and substantially reduced risk. 

The Identity Explosion

Multiple technology and business trends contribute to the proliferation of identities whose access needs to be managed: digital transformation; the exponential growth in applications; the proliferation of DevOps identities; the use of robotic, machine, and device identities; and outsourcing to third parties. It doesn’t take long before an organization realizes it faces a real problem managing so many identities, roles, and entitlements. This “identity explosion” problem places a huge burden on security and risk teams, with the need to ensure that each identity has only the access rights and privileges it needs. Without enterprise-wide visibility of the identity landscape or context around access requests and certifications, teams often find themselves overwhelmed. As a result, they end up rubber-stamping access requests and certification approvals. They simply don’t have the time to evaluate each request and determine whether it is truly necessary. 

Increasing Regulatory Compliance Pressures

The task of security and risk teams becomes even more difficult in the face of a patchwork of government and industry regulations, such as FISMA, SOX, HIPAA, GDPR, CCPA, and others. Designed to protect against insider and external cyberthreats that could result in data breaches, these regulations generally call for restricting access rights to those minimally necessary to perform job functions – the principle of “least privilege.” 

The explosion of identities makes it even more difficult to ensure least privilege, especially today, when many employees are working remotely, often using personal devices with lax security measures. This has an undeniable impact on security compliance –  especially in terms of costs, which can be steep. For example, GDPR, which applies to organizations outside as well as within the EU, costs the average Fortune 500 company $16 million a year. Penalties for regulatory noncompliance are equally impactful. A global insurance provider was recently fined $10 million for failing to comply with SOX regulations designed to ensure the identity of customers. During an audit for HIPAA compliance last year, the U.S. Department of Health and Human Services fined a Tennessee-based management company $2.3 million for a breach caused by compromised administrator credentials. At a time when businesses face mounting cost pressures, a weak understanding of user access and justification for why they need it can prove costly. 

Identity Governance Fatigue Sets In

Security and IT professionals have long used identity governance and administration (IGA) solutions to address user provisioning and regulatory compliance requirements. Such solutions were designed to automate access requests, approvals, and certification reviews. Today, the sheer number of such requests outstrips the capabilities of many traditional IGA solutions. Teams that face a seemingly impossible task invariably end up suffering from identity governance fatigue. They are called on to quickly make informed identity access decisions where a mistake could have serious consequences for the organization. 

Identity governance fatigue results in inefficiency, slowed response, and suboptimal decision-making, all of which can lead to errors. It’s no wonder organizations are looking to automate identity governance solutions. 

Automation Overcomes Identity Governance Fatigue

Identity and risk professionals who experience identity governance fatigue are dealing with an overwhelming number of identities, roles, and entitlements. They are also facing the proliferation of machine and Internet of Things (IoT) identities, the demands of organizational changes, and the added impact of unplanned events, such as the COVID-19 pandemic, which ushered in a dramatic increase in remote working. New automated, self-driving approaches are needed to replace antiquated manual efforts. Automated identity governance is the optimal solution and also provides an ideal domain to achieve the potential benefits of automated intelligence and machine learning. 

Automation streamlines intelligence, making sense of the mountain of uncorrelated data that is being created daily. It spots anomalous behavior before it represents a threat and enables solutions to proactively identify access risks and highlight excessive privileges. Artificial intelligence (AI) is used to make informed recommendations that can be communicated to decision makers. An ideal IGA automation solution does not stop there. It goes on to automatically implement the recommendations, freeing up security teams to focus on more complex tasks, such as investigating high-level threats that require skilled human intervention. Automation can also dramatically simplify the process of recommending low-risk accounts for certification and re-certifying high-risk accounts. A solution based on AI will enable smarter, more efficient certification campaigns with fully described access rights. 

In my next blog, I’ll explain why AI is the key to self-driving governance and how ForgeRock Autonomous Identity can help your organization achieve it. In the meantime, be sure to read the new KuppingerCole white paper “Overcoming Identity Governance Challenges with ForgeRock Autonomous Identity”.