Identity Myth Busting


SailPoint Blog Post: August 10, 2020  |  Matt Mills

Raise your hand if you’ve heard one of these phrases recently, nodded your head and thought – “yup, that’s ‘good enough’ for my identity management needs right there.”

You’re covered if you have access management.

Provisioning is simple, we can do that.

With MFA, you’re protected.

You don’t need governance, that’s just an audit thing.

Well, I hate to be the bearer of bad news but – you’re wrong. Dead wrong, in fact.

While it’s true that some of what I just described fits into what most think of as identity and access management, the glaring error here is thinking that you’re covered with any one of these identity technologies in place.

You’re missing a very critical piece, the real brains of identity management is identity governance. But before your eyes glaze over at that phrase, let me illustrate the point.

You can’t do identity and access management without governance. You can’t open the front door and expect that the right people will walk through and do the right thing with that access. It needs to be governed. And when I say governed I mean that their access needs to align to corporate security policy. Would you allow the mailman to rifle through your mail upon depositing it into your mailbox? Just because he has access to that mail doesn’t mean he has the right to open it or to read it.

It’s the same with access management. Just because a worker has access to the building (aka company resources), doesn’t mean that they 1) should have free reign over every area of the building or 2) that their access fits with their actual role within the business. You need to know, with full confidence, that the person walking in the door both belongs there and that they only access the parts of the building that are appropriate for their job or role within the business.

How can you do that without identity governance?

Spoiler alert: you can’t.

The same is true of technology like multi-factor authentication (MFA). You’ve asked your workers to provide more than one piece of evidence that confirms that they are who they claim to be. All this does is ensure that you’re certain that the person walking through the door belongs there. Again, once that person is in the building, there’s nothing stopping them from checking out the server room, digging through human resources files, or poking through customer records, so to speak.

Have I made my point yet? These are just two examples among many. And doesn’t begin to scratch the surface of the slew of identity technologies (and vendors) out there that claim to secure your business the way it deserves to be secured.

Look, there are a LOT of misconceptions and myths out there. A lot of buzz around just what your business needs to operate securely and efficiently. Truth be told, a lot of it is noise and meant to distract you to the point of making a decision that feels good enough for now. But good enough for now will not fully protect your business from the next data breach or failed audit. Never mind stalling your workforce the next time you’re faced with a challenge like shifting to an entirely virtual working environment practically overnight (hello COVID-19 forcing function…).

In all of my conversations with CISOs and CIOs around the world, particularly in the last few months, all of them have confirmed what we have known for years: identity is business essential. It is 100% foundational to today’s digital business. It is so much more than good enough identity management, it is the smarts behind every single access decision across the business. Done right, it speeds your business vs. stalling it, it secures it vs. exposing it, and it provides confidence that you can move your business forward with confidence no matter what external factors may be facing your business.