Why identity governance should be a priority

As government agencies increasingly rely on digital technologies to meet evolving demands and improve efficiency, the need for a secure and effective digital strategy has become paramount. With the rising threat of cybersecurity attacks, data breaches and unauthorised access to sensitive information, government agencies must replace outdated, clunky legacy platforms to ensure that their systems are secure and protected.

Although digital transformation has delivered numerous benefits to organisations, it has also led to a surge in the number of human and non-human identities created, resulting in an increased number of security breaches. According to the latest OAIC data breach notification report, one-third of all breaches resulted from stolen or compromised credentials. Despite this, Identity Security is still not receiving the attention it deserves.

At our recent roundtable event with CyberCX Australia, we sat down with 12 CISOs to discuss why identity governance should be a priority for government agencies, and we explored the risks of legacy platforms and obsolete infrastructure together with the risks of digital transformation and migrating to the cloud without an identity security protocol.

Here are some of the key challenges and takeaways we discussed with CISOs.

Why identity governance should be a priority to prevent cyber attacks

Identity security is critical to maintaining the integrity and confidentiality of government data and must be a top priority for all agencies, and our roundtable discussion highlighted the urgent need for robust cybersecurity measures, as two organisations present had recently experienced breaches due to compromised credentials.

It was reassuring to hear though that several CISOs at the event were already investigating identity governance as a key component of their zero-trust strategy and were implementing it to work towards a zero-trust architecture.

Identity governance is essential for ensuring users have appropriate access to sensitive data and systems within an organisation, and to track activities and detect any suspicious behaviour or possible security breaches.

Many cyber attacks begin with the acquisition of valid credentials, which malicious actors steal or compromise to access the network, study the environment, elevate their privileges and strike when everything aligns in their favour. Having visibility over ‘access at rest’ is crucial to prevent such attacks. By leveraging AI, organisations can detect potential threats and prevent unauthorised access to sensitive data and systems.

Incorporating identity governance into a modern zero-trust security model can play a crucial role in mitigating these risks. Identity governance continuously verifies user identities and manages access rights to prevent unauthorised access. Combining AI and advanced analytics with identity governance enables government agencies to monitor user activity, detect potential threats and stay ahead of cyber attacks.

As government agencies migrate to the cloud, adopting a zero-trust security model that places identity at the core of its security strategy is crucial.

Risks of doing nothing: creating urgency to replace legacy platforms and obsolete infrastructure

Legacy platforms are often outdated and lack critical security features such as two-factor authentication, making them vulnerable to malicious actors as they don’t use modern encryption protocols.

Moreover, keeping obsolete infrastructure increases operational costs as there is an additional need to maintain hardware that may be difficult or impossible to replace. Outdated systems also hinder productivity and collaboration within an organisation as they are less efficient and user-friendly.

Our recent State of Identity in ANZ study highlights the importance of addressing these risks and adopting modern security solutions.

A lack of budget is unfortunately one of the main roadblocks to implementing an identity security strategy, which was a key concern raised during our roundtable event. This is often because identity security is not something tangibly visible to a government agency’s customers, such as citizens, making it challenging to justify the budget allocation. Additionally, investment decisions for agencies may be influenced by factors such as votes or political priorities.

Furthermore, one government representative noted they were investigating the potential net-zero cost to further demonstrate the value of migrating to the cloud for his business case.

It is evident that it’s crucial to educate key stakeholders within government agencies about the impact and risks of not having proper solutions and protocols in place, making their agencies more vulnerable to cyber attacks.

It will also be essential to discuss the impact outdated infrastructure has on overall operations and government workers who cannot get timely access to the digital resources they need, as they will struggle to serve citizens effectively. As society becomes more digitally centric, it is crucial for government agencies to provide seamless access to resources for their staff.

Consolidating identity

Consolidating identities continues to present challenges for government agencies, as many individuals may have multiple identities for different systems, making it difficult to manage access rights and track user activity across platforms.

A centralised identity management system can streamline and automate the process of granting and revoking access rights, provide greater visibility and control over user access and activity, and reduce the time and resources needed to manage multiple identities per person. Modern identity governance solutions can help establish a single source of truth for user identities and ensure that access rights are properly managed, reducing the risk of unauthorised access to sensitive information.

One NSW government department executive noted his organisation adopted SailPoint to consolidate identity management, taking a KISS (keep it simple silly) approach that enforced flexibility by design principles, centralised the identity security platform and decentralised ownership to the appropriate end users.

Getting identity security right: the importance of people, processes and technologies

Getting identity security right is a complex task that requires people, processes and technologies to work harmoniously together. Executives at our CyberCX roundtable agreed that successful implementation involves the following key elements:

1. Executive alignment: Organisations must ensure that leadership is aligned with the goals and objectives, including understanding the risks, benefits and the necessary resources required for successful implementation.
2. Collaboration: A successful identity project requires a concerted effort from cohorts across the organisation. These include:
   1. Application owners: Responsible for managing the critical operational applications, this cohort must work closely with the identity security team to ensure that access rights and privileges are properly managed and monitored.
   2. HR team: Providing accurate and up-to-date information about employees and their roles within the organisation is essential for managing access rights and ensuring that only authorised users have access to sensitive information and resources.
   3. Identity team: Responsible for implementing and maintaining the identity governance solution, they work closely with the application owners and HR team to ensure that the solution is effectively integrated with existing infrastructure.

By focusing on these points, government agencies can help their key stakeholders understand the importance of investing in identity security projects. In turn, this will enable them to make more informed decisions about budget allocations and prioritise identity security as a critical component of their overall cybersecurity strategy.

Image credit: iStock.com/dem10