Our IT Executive Roundtables are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. The group met remotely to discuss how identity is central to compliance, led by the VP, CISO of a provider of health improvement, fitness, and social engagement solutions. This Session was sponsored by Okta.
A good identity management system allows you to implement granular access control, enforce identity lifecycle management, increase productivity, and cut back on operational spending. It also paves the road to compliance with various security regulations and frameworks. But is identity a precursor to compliance, or is there a way to adhere to security standards and frameworks without a well-built identity system?
At the beginning of the discussion, attendees were asked whether the same team managed compliance, identity, and security in their organizations. An Information security officer answered negatively, adding that they oversee compliance, whereas identity is managed on the operations side. An infrastructure leader responded yes, mentioning how they recently reworked all three into one team. A security manager replied that their team wholly owns identity and security but shares the responsibility of compliance with the legal department and the software hosting team. All in all, there was an even split between the yeas and the nays.
A speaker remarked that they have recently moved their information security team under their legal department. It’s essential to recognize that InfoSec has evolved into more than just technology, especially when functioning in a highly regulated space, like finance or healthcare. Their legal team handles all risk management, ensures compliance with data privacy and protection laws, and enables their organization to constantly improve its security posture.
An executive told the audience that identity had been a foundational pillar for their organization over the years. When they were a publicly-traded company, it enabled them to obtain SOX compliance. When they purchased a healthcare company, their existing identity and access management system empowered them to become HIPPA-compliant. Moreover, identity also allowed them to sustain during COVID, serve their highly regulated customers, and comply with various other frameworks, including NIST, PCI, and ISO.
Another speaker chimed in and said that identity helps organizations establish a universal source of truth. Without identity, you can’t truly know who your authorized users are. To build their case, they recounted the tale of a company that had gone through various M&As. An audit revealed 1500 employees on the company’s network who nobody knew existed. Solving problems like this requires using identity, i.e., having a centralized system to onboard, provision, deprovision, perform lifecycle management, and maintain complete visibility into who can access what.
All participants unanimously agreed that identity has always been central to compliance. One participant shared that they wouldn’t be able to adhere to state regulations, achieve security certifications, or go through any of their customer audits without identity and fine-grained access control. As a measure of compliance, the scrutiny with which identity is being looked at has been growing and should continue to grow.
Another point that resonated with various contributors is that identity is industry-agnostic. Regardless of which industry you are working in, you must protect your systems and customer data, and identity provides you with the foundation to do so.
One exec mentioned how adaptive, contextualized authentication could reduce the friction associated with most MFA implementations. By extracting the context of an authentication request, using factors like IP address, device ID, geographical location, time of access, and sensitivity of the accessed resource, you can determine whether a login attempt is risky. Once you have this risk-based categorization, you can increase the friction (required authentication factors) for the risky attempts and decrease it for your regular, authorized users.
An attendee remarked that having support from the board and high-level management can pave the way for change. Implementing identity may require you to change the way things are being done drastically, which often means resistance. But, if you have a good relationship with your board members and CXOs, they can help you drive change and bring about the needed cultural transformation.