Identity, authentication and authorisation becoming risk-led

Identity management, and authentication and authorisation governance are shifting away from being purely IT initiatives, according to RSA

Traditionally, initiatives around identity, authentication and authorisation have been about becoming more efficient and enabling faster provisioning.

“But we are seeing a shift towards such initiatives being part of a clear directional effort to address risk,” said Prashant Darisi, senior director, identity governance and lifecycle products at RSA.

This starts with assessing risk, identifying risk objectives and determining an organisation’s real risk appetite, he told Computer Weekly.

“When we look at Target, Sony or any of the other companies that have been breached, the reputational costs are now higher than ever,” said Darisi.

As a result, responsibility for assessing and mitigating breach-related risk is shifting in many businesses from the chief information security officer (CISO) to the chief information officer (CIO).

Organisations want to ensure that business risk is informed by the risk associated with matters such as orphan accounts and toxic combinations of entitlements.

The business is also concerned about the gap between IT and the business increasing through the adoption of cloud services by various business units without going through IT.

“While this so-called ‘shadow IT’ gives the business tremendous agility, it also often means that commercially sensitive data is sitting in the cloud,” said Darisi.

“This results in an increasing ‘gap of grief’ between the business’s need for agility and the need for security from the IT perspective.”

There needs to be a way for organisations to ensure that both of these needs are met by balancing security and convenience, said Darisi.

Key to enabling this, he said, is achieving continuous identity assurance through a system that automatically challenges users to authenticate when anomalies are detected.

Continue reading…