What Identity Management Teaches CSOs/CDOs about Data-Centric Security

iStock-1220129100 (2)

Author: Chris Olive 
Date: January 18, 2022

At the turn of the 21st century, the Identity Management discipline within IT Security was born of necessity. Advancements in computer technology meant that every area, function, and discipline within organizations was turning to automation to gain a competitive advantage. A computer was placed on every desk, and servers, mini-computers, and mainframes were being deployed to automate every area of the business.

Identities proliferated and radically multiplied because each system that an organization deployed needed users to have their own accounts (identities) all managed with different rules and processes. Networking these platforms together into a cohesive whole drove the need for identity lifecycle automation, and compliance needs were placed on the business in the wake of a number of high-profile accounting scandals. Both of these requirements necessitated identities be managed and governed from a single point to provide velocity and agility to the business while securing the enterprise and bringing it into compliance. Past methodologies which were mainly manual simply could not keep pace with the velocity of the technology-enabled enterprise.

We are now seeing this pattern repeat with the mass proliferation of data to the cloud, catalyzed by the tsunami of Digital Transformation. The modern organization needs to adopt a Data-Centric Security approach to safely execute their digital transformation strategy. 

Digital Transformation Has Radicalized the Data Security Landscape

Digital transformation has had the same impact on data in the enterprise as desktop computers, servers, mini-computers, and mainframes had on identities in the year 2000.

Data, and lots of it, is what fuels and accelerates organizations in today’s world. Companies are moving enormous amounts of data to the cloud at a breakneck pace to take advantage of cloud services and capabilities that provide powerful artificial intelligence (AI), data analytics, machine learning (ML), serverless computing, data sharing, data marketplaces, and much more. The industry finds itself in the same place again, with data proliferating at a fantastic rate, much the same way identities started doing (and never stopped) 20 years ago.

Data Security Needs To Grow Up and Mature

Over the last twenty years, Identity Management has matured with the times, providing organizations with automation, compliance, intelligence, and now in the age of digital transformation, autonomous identity management, leveraging AI and machine learning.

As we stare at the exponentially growing list of capabilities digital transformation and cloud capabilities are offering, we find very little unified and centralized Data Security strategy.

There are critical lessons that Chief Information Security Officers (CISOs) and Chief Data Officers (CDOs) can learn from the Identity Management wave. Let’s look at some of the challenges of the past to help underline Data Security’s desperate need to grow up and mature like its first cousin, Identity Management has done.

Speed

Transformation based on automation twenty years ago meant organizations simply couldn’t keep pace with identity lifecycle events or address growing compliance and reporting needs using previous methods. Keeping up with the Speed of business was a real issue.

Twenty years later, the run rate on data makes the run rate on identities look like they were standing still. The run rate on data typically outstrips the ability of most companies to provide immediate, accurate, least privileged access to data and to maintain it over time, regardless of where that data lives. At no other time in history has there been more data being generated more quickly, thereby continuously changing the shape and scope of who needs access to that data. This cycle of massive data generation and the need to assign and maintain proper access to it continues to accelerate at a blistering pace.

Existing methods for properly associating data, protecting it, and keeping up with the changes data begets while simultaneously maintaining compliance and addressing privacy are showing to be both antiquated and inadequate from a pure Data Security perspective. Today’s data-centric security approaches need to be able to handle speed in two ways: Keep up with the pace at which data is changing and growing, and do it without slowing down the Digital Transformation efforts that are core to modern business strategy.

Scale

As we continue considering the challenge landscape, we come to the second challenge of Scale. Over the last twenty years, Identity Management has had to deal with scale both in terms of proliferation of applications, platforms, and platform types, but also the proliferation of identities driven through digital transformation. 

Similarly, massive proliferation of data has created challenges of scale for Data Security, not in terms of data size – which is really related to the problem of speed previously addressed – but scale in terms of data residence, custodianship, and its value enablement lifecycle.

Two aspects of digital transformation realized through the move of data to the cloud are nuance and the advantages of a multi-cloud strategy – both the necessity and ability to choose from the various nuanced companies, products, services, and capabilities the top cloud service providers (CSPs) provide. This nuance provides organizations scale in terms of data capability and tremendously increases on-going data proliferation within silos that need to be unified by the business, just as identities from disparate platforms needed to be unified twenty years ago.

Organizations are creating Big Data platforms, data lakes, data warehouses, data pipelines, and more from platforms offered as ready-to-consume services like Databricks, RedShift, Synapse, DynamoDB, DocumentDB, Kinesis, Collibra, BigQuery, specialized CSPs like Snowflake, and more. There are too many CSPs and associated XaaS services to name, and new services for data seem to come out quarterly, with ever increasing capabilities that offer essentially sheer, utter magic.

Yet properly securing data in BigQuery differs from properly securing data in Databricks which differs from properly securing data in Amazon RedShift or Azure Synapse which differs from properly securing data in a specialized data analytics CSP such as Snowflake. And any data that lives outside the boundary of a single CSP within the services model of a multi-cloud provider data services strategy adds to the scale of complexity and data security nuance that must be maintained “under the hood” of that strategy.

At no other time in history has there been more data being generated more quickly, thereby continuously changing the shape and scope of who needs access to that data.

Nuance of scale is a growing Data Security Governance challenge organizations face to properly secure and maintain continuous, proper access as business use cases change and as sharing with partners or vendors comes into play while maintaining control, compliance, and data privacy.

Strategy

Lastly, we come to strategy as the final challenge to be covered here. Twenty years ago, companies needed automation and compliance for identities, and a multitude of Identity Management companies sprang up to fulfill these needs for the business. Most of those companies did fairly similar jobs. Differentiation was based on lessening the complexity of setup, configuration, and on-going maintenance, and agility and speed to execution of use cases.

But as the needs of the business with regard to identities grew, specifically the need for intelligence and now today, making Identity Management autonomous to the business, a mere handful of companies provide a unified strategy around identities to the business. The others have essentially vanished. (Full disclosure: The author is currently employed at one of those Identity Management companies).

The now massive proliferation of data has created challenges of scale for Data Security… in terms of data residence, custodianship, and its value enablement lifecycle.

As we stare at the exponentially growing list of capabilities digital transformation and CSPs are offering, we find very little unified and centralized Data Security Governance strategy. Organizations need to take a Data Centric Security approach to ensure that their security rules are followed in a unified way across a multitude of cloud platforms. 

Conclusion

Twenty years ago, Identity Management was born from a massive acceleration of technology enablement adopted by organizations as a transformative need. Today, digital transformation driven by massive amounts of data is transforming the business landscape at incredible speed and in ways that seem to dwarf the transformation of the past.

Identity Management as a mechanism for both enabling as well as securing the business has grown, matured, kept pace, and now provides organizations with autonomous identity management through AI and machine learning. Data access controls and security in terms of its maturity has lagged behind, challenged by the issues of speed, scale, and lack of a unified approach and strategy across an ever-growing multitude of offerings available to organizations undergoing rapid and seismic change through digital transformation.

The time has come for a new, centralized, framework approach to Data-Centric Security that allows businesses and organizations to adequately address the challenges of speed, scale, and lack of a unified strategy from a single, centralized, intelligent, and autonomous point of Data Security Governance.

 

framework-for-practical-data-security