Every company and government entity is tasked with striking a critical balance between data access and security. As Forrester’s Senior Analyst Richard Joyce stated, “For a typical Fortune 1000 company, just a 10 percent increase in data accessibility will result in more than $65 million additional net income.” As the need to become more data-driven accelerates, it’s imperative enterprises equally balance privacy and governance requirements.

To achieve this balance, we need to change how we perceive data security. Amidst growing friction between teams — i.e. those who create and manage data access policies and those who need data to perform their duties — we must accept security, IT, and privacy teams want to provision as much data as possible. But those teams face constraints and compliance complexity.

Traditionally, data security, privacy, and regulations have been thought of as a cost center expense. Instead, we need to look at data security as the means for positive change, a driver for greater data accessibility, enhanced operational efficiency, and actual business value.

Many remain far short of the goal

Enterprises of all sizes struggle with the shift. NewVantage Partners’s Data and AI Leadership Executive Survey 2023 found less than a quarter of firms reported a data-driven organization or data culture. And in the State of Data and Analytics Governance, Gartner suggests by 2025 80 percent of organizations seeking to scale digital business, including analytical initiatives, will fail because they don’t modernize their data and analytics governance.

Data access drives growth. So, what’s the reason for low data-culture adoption? To be truly data-driven requires tight collaboration between many different functions, and there’s a lack of certainty regarding individual-role responsibilities. Strategic gaps must be addressed.

The reality of data security and access

When it comes to data security and access, companies are typically either:

Overly restrictive on data access. Data security is seen as an impediment to overall company growth. This is typically due to data, organizational, and technological complexity.Or, overly focused on perimeter and application defenses, leveraging cyberdefenses and coarse-grained identity and access management (IAM). Data systems are open to exploitation in the event of a breach.

Most experience the worst of both these scenarios, where data security and access are simply broken — inconsistent, atomistic.

A primary challenge of solving the data democratization balancing act lies in the complex web of internal and external privacy, security, and governance policies. They change over time and need to be applied and maintained consistently and efficiently across business teams.

In the middle are the technical teams managing the complex data and analytical system. Due to constraints, security, privacy, and data management teams default to a tight lockdown of data to ensure compliance and security. It’s not any one team’s fault, but a major blocker to becoming data-driven.

Unified data security platform

Siloed, decentralized, inefficient, unclear roles and responsibilities, and an absence of a holistic strategy. So, what’s the solution as more companies face costly data breaches and low data usability rates? An enterprise-wide, scalable strategy that leverages a unified data security platform. One that includes integrated capabilities to simplify and automate universal data security processes across the entire data and analytic ecosystem. With the ability to discover and classify sensitive data, data attributes can be used to automatically deliver instantaneous data access to authorized users. Proper data security governance helps teams get access to more data faster.

Additional data masking and encryption layers can be added to make sensitive data available for analytics without compromising security. Even if a breach occurs, fine-grained access limits exposure, and audit capabilities quickly identify compromised data.

Executing a proper data security strategy provides the last mile of the data governance and cataloging journey. All of it key to the balancing act of data democratization, with comprehensive data governance enabling faster insights while maintaining compliance. 

Enterprise-wide governed data sharing

Privacera helps Fortune companies modernize their data architecture via a holistic, enterprise-wide data security platform and automated data governance. A data security platform empowers the data democratization you need to increase data usability and nurture your data-driven culture. Analysts and business units get more data faster. IT liberates time and resources. Security and privacy teams easily monitor and implement data security policies.

Learn more about achieving modern data security governance and democratized analytics for faster insights here.

Data and Information Security

By Milan Shetti, CEO Rocket Software

If we’ve learned anything over the last few years facing a global pandemic, stalled supply chains, rising inflation, and sinking economies, it’s that change is the new normal in today’s markets.

In response, organizations have invested heavily in digital transformation. IDC forecasts that global spending on digital transformation will reach $2.8 trillion by 2025 — more than double what was spent in 2020.

As organizations amp up their digital transformation initiatives, which are critical for survival in today’s business climate, they must also consider how to modernize and migrate sensitive data and how it is managed and governed. C-suite leaders must have confidence in the data they have on hand to fuel business processes, deliver customer and employee experiences, and improve their operational analytics and insights.

Given the volume of data most organizations have, they need agile technologies that can provide a vast array of services to streamline content management and compliance, leverage automation to simplify data governance, and identify and optimize all of their company’s valuable data.

Ultimately, when evaluating automation technologies, your business needs software that will enable teams to move quickly and easily identify high-priority, sensitive data and to identify and remove redundant, obsolete, and trivial content (ROT) to remain compliant with complex regulatory demands. 

With organizations grappling with how best to streamline data management and compliance, there are four key considerations in doing it effectively.

1. Identification

Businesses need fast and accurate analysis of all their content. Organizations with content-rich processes should look for flexible and scalable automated solutions that can deliver a broad classification of content — reducing the chances of important information slipping through the cracks and allowing teams to quickly identify more types of sensitive data.

2. Action

To support compliance with a governance-first approach to content-rich process automation, businesses must be vigilant when it comes to managing the retention and privacy of documents. This is achievable by automating as much governance decision-making and manual processes as possible. Utilizing automation technology to automatically govern content-rich processes and eliminate mundane, tedious, and repetitive tasks, teams can eradicate many opportunities for human error and free up employees and resources to increase efficiency. 

3. Access

One of the biggest threats to a company’s sensitive data is accessibility. Easily accessible, less secure data is vulnerable to hackers and malware, which, if breached, can have catastrophic consequences for an organization. Teams must look for automation software that can set time and geography parameters around employee accessibility, deny access should a network be breached, and allow redaction across the entire enterprise. 

4. Lifecycle

To successfully manage the entire content lifecycle, businesses must have the ability to place content on legal hold, manage the over-retention of documents, and enable encryption at rest. Rocket Software’s Mobius Content Services platform  delivers this by not only allowing report management teams to encrypt and quickly put content on legal hold, but also providing storage reduction to avoid over-retention and ROT. Mobius can also easily integrate into many shared drives and collaborative platforms to streamline ROT and site auditing.  

With investment growing in digital transformation, organizations must stay competitive — and, for many, data is becoming the critical differentiator. By implementing the right tools now for data automation governance, organizations will be better positioned to maximize it and stay compliant. To learn more about Rocket’s content management solutions, visit the product page.

Data Management

What is ESG and why is it important?

Environmental, social, and corporate governance (ESG) is a strategic framework for identifying, assessing, and addressing organizational objectives and activities ranging from the company’s carbon footprint and commitment to sustainability, to its workplace culture and commitment to diversity and inclusion, to its overall ethos regarding corporate risks and practices. It’s an organizational construct that’s become increasingly important, especially to socially responsible investors who want to invest in companies that have a high ESG rating or score.

The three main pillars of ESG include:

Environmental commitment: This includes everything around a company’s commitment to sustainability and the impact it has on the environment, including its carbon emissions and footprint, energy usage, waste, and environmental responsibility.Social commitment: This covers a company’s internal workplace culture, employee satisfaction, retention, diversity, workplace conditions, and employee health and safety. Companies with happy and healthy employees perform better and are viewed as a stronger investment.Corporate governance: A company’s commitment to governance includes compliance, the internal corporate culture, pay ratios, the company ethos, and transparency and accountability in leadership. Investors are interested in companies that can keep up with changing laws and regulations, and that have a commitment to equity and equality in the workplace.

Your company’s environmental efforts will only become more important as the effects of climate change continue to grow. Companies that are more prudent with resources, such as water, coal, oil, and electricity, are predicted to fare better in a future where those resources may be limited in certain areas. Similarly, a company’s social profile is more important than ever in a time where a single Tweet can negatively impact an entire brand or company’s reputation. And as more laws and regulations arise around technology, most notably GDPR, a strong commitment to proper governance and compliance will be crucial for keeping a company operating and in business.

ESG score and rating

ESG scores are determined by third-party firms that have their own methodologies to identify a company’s ESG rating. Currently, this isn’t a process that is streamlined across the board, and different companies have their own way of determining a company’s ESG rating. ESG scores and ratings are important because they give an overall picture of the company’s performance in these three areas.

These scores help inform potential or current investors and can even help inform governments as to whether they want a company operating within its borders. A higher ESG score also aligns with a company being more sustainable, having happier employees, and being more productive and profitable overall due to better working conditions. Typically, ESG scores are rated from 0 to 100 with anything above a 70 classified as a “good” ESG rating, while anything below 50 is considered a “bad” rating. Some systems, however, rely on a letter-based scoring system where a grade of C is the worst and A is the best.

ESG investing and analysis

Because ESG has become a large part of the investment process for businesses, having an ESG analysis performed for your company can go a long way to showing investors that your company is worth their time and money. Investors have started looking at the overall values of the companies they’re investing in, and brokerage firms and mutual fund companies have responded by offering exchange-traded funds (ETFs) that track ESG ratings.

ESG investing is often called impact investing, sustainable investing, responsible investing, or socially responsible investing (SRI). ESG investors want to invest in companies that have a commitment to accountability, sustainability, and that are overall good places for employees to work. Companies negatively contributing to the environment, social responsibility, or governance, aren’t viewed favorably by these investors as a solid long-term investment.

What does a good ESG score mean for business?

For companies looking to improve their ESG rating, one big change is switching to smart building technology to manage waste and improve efficiency. Smart building technology can help automate climate control, lighting, and monitor the building for efficient energy use. Using smart technology to manage your building’s energy consumption can also improve worker’s conditions, by ensuring that they’re in a comfortable environment, and can reduce potential waste by adjusting the lighting or temperature in areas of the building not in use. Automating building maintenance can also reduce waste, with sensors available to alert the staff when something breaks or needs repairing, detecting any issues with the building, and improve sustainability.

Companies with a good ESG rating also have a strong commitment to their workers, ensuring fair workplace practices, a commitment to diversity and equity, and creating an environment where everyone feels welcome and accepted. This also includes having safe workplace conditions, benefits for employees and strong support for employee’s overall well-being. Your company’s reputation relies not only on external interactions with clients and customers, but also on having high employee satisfaction within the company. This can boost retention, recruitment, and even productivity since happier employees have been shown to work harder and more efficiently.

Companies with a high ESG rating are also going above and beyond in areas around governance — typically doing more than is required of them in terms of compliance. They have high transparency with investors and employees and create an environment that allows for open and direct feedback. These companies aren’t just following the current laws and regulations, they’re looking ahead to what rules and laws might be implemented in the future and are making the call to make those changes early on. These companies also have a strong commitment to authentic leadership and holding leaders accountable within the organization.  

What does a bad ESG score mean for business?

Companies that have poor sustainability or high carbon footprints typically fall on the lower end of the ESG rating scale. These companies struggle with their overall environmental impact and have a history of energy-intensive practices and procedures. There is often a lack of automation, poor or bare-minimum compliance, and sometimes even unsafe or dangerous working conditions. These companies will have high turnover, poor retention rates, and employees reporting low levels of satisfaction.

At companies with low ESG ratings, there’s also often a lack of transparency with employees and investors, sometimes even going as far as to hide important or relevant information. These companies often do just enough on the side of governance to remain compliant but aren’t making the effort to do any more than the minimum. Companies with a low ESG score simply aren’t appealing to socially responsible investors, and they will struggle to be viewed as a solid long-term investment by this growing base of investors.

ESG challenges

There are some criticisms of ESG ratings — most notably that the scores and analysis aren’t streamlined and there can be variations between how companies give out ratings. ESG ratings also encompass a lot of broad topics in the workplace, making it difficult to standardize the scores across every company and industry. It can also be difficult for older companies to make the changes necessary for a high ESG score — especially around automation and building changes.

Diversity and Inclusion, Green IT, IT Governance

Whenever CIOs talk about using low-code tools to enable citizen development, a recurring theme is how to ensure appropriate governance of the applications produced.

Microsoft has heard them loud and clear, and at its Ignite 2022 show in Seattle this week, it introduced a range of new governance capabilities and other enhancements for its Power automation platform.

It also previewed new management capabilities for automated workloads in its Entra Identity governance tool, new compliance reporting tools for monitoring the roll-out of Windows updates on enterprise desktops, and a host of updates to its Azure cloud platform.

Power to the people

Even low-code may seem like a foreign language to some workers, so Microsoft has been experimenting with ways to enable them to generate workflows with Power Automate, describing in natural language what they want to achieve and leaving an AI to build the corresponding flow. The feature, now in preview, will still require workers to set up connectors for the inputs to and outputs from the automated workflow, and to tweak it to ensure it behaves as intended.

Given the scope for ambiguity in natural language, CIOs may want to reinforce governance of applications created in this way — and with the new Managed Environments for Power Platform, Microsoft will help them do just that. First previewed in July, it’s now generally available.

Checks and balances

A new Weekly Digest feature enables admins to see how much use each Power app is getting, directing attention to the most used and reclaiming resources from unused ones.

There are also new tools to limit sharing of apps by security group or number of users, so apps don’t go viral across the enterprise until they’ve been thoroughly tested and channels are set up to communicate changes to them.

Those features will be important to CIOs, according to Kyle Davis, a VP and analyst at Garner covering low-code adoption.

“When it comes to citizen development and low code, governance is front and center,” he said.

Managed Environments is more of an evolution than a revolution, he added, saying, “There really isn’t anything there that someone couldn’t build for themselves if they wanted to.”

Indeed, Managed Environments has its origins in Microsoft’s Automation Center of Excellence starter kit, which enables enterprises to define their own best practices for Power app governance. But as the company itself acknowledges, customers found that this required a lot of manual work and expertise.

Davis said that CIOs looking for the simplicity of low-code development are often also looking for similar simplicity in its management. Managed Environments’ ability to deploy controls in a few clicks will be appealing. “It makes it easier to do things at scale,” he said.

The option to limit usage of an app to a few cubicle neighbors makes sense too, he said, because, “You can just yell across the hallway, ‘Hey, I’m going to make a change,’ and everyone’s aware,” while a change departmental app would need to go through a proper process. “What Microsoft offers with Managed Environments is something that you don’t really get from other low-code vendors in a similar space,” he said.

Environmental awareness

Not all the news at Ignite concerned Power Platform, however. Microsoft also had plenty to say about updates to its Azure cloud infrastructure offering, and an update of Syntex, its AI content management tool. Computerworld has the low-down on Syntex, but CIOs will want to be aware of other innovations that may help them trim management budgets or redeploy staff away from routine tasks.

There are new features for Microsoft Sustainability Manager, an environmental reporting tool for enterprises, including an extended data model to assist them estimating so-called Scope 3 emissions of greenhouse gases by their entire supply chain, and an Emissions Impact Dashboard for Microsoft 365 showing greenhouse gas emissions resulting from their use of Microsoft’s SaaS productivity suite.

Azure Deployment Environments, previewed at the show, offer enterprises a way to apply project-based templates to each development environment they spin up. Much like the managed environments Microsoft is introducing for low-code applications, these new templates will help development teams consistently maintain best practices across projects with minimum effort, the company said.

Cost cutting

Another management feature, Azure Automanage, is now generally available for Azure VMs and has new capabilities including the ability to patch VMs without rebooting, reducing downtime costs.

For variable computing workloads in the Azure cloud, Microsoft is introducing the ability to mix Standard and Spot Virtual Machines in the same scale set, enabling CIOs to profit from the deep discounts available for Spot VMs as their computing needs vary.

But Microsoft also wants customers to see Azure as an economical solution for base workloads. Azure savings plan for compute, available later this month, offers a discount to customers who commit to spending a minimum hourly amount on computing resources for one to three years; consumption above the minimum commitment will be charged at regular rates.

Staying Intune

Microsoft is reshuffling its branding around endpoint management: Intune, previously a component of its enterprise mobility management offering, is now the umbrella brand for its whole range of endpoint management products such as Configuration Manager — with the promise of more to come. At Ignite, the company is previewing new endpoint privilege management capabilities such as the ability to temporarily grant users limited admin permissions, and automated app patching by combining Intune with Microsoft Defender. In January 2023, it will add Microsoft Tunnel so employees can securely access company resources from their own devices without having to enroll them first. And then in March 2023, a new bundle of premium endpoint management services called Advanced Management Suite will be introduced.

Innovation

Modernizing and future-proofing your analytics

Executive-level commitment to a broad data governance strategy is gaining momentum in order to balance technology, people, and processes. In a recent Gartner survey, 78% of CFOs said they will increase or maintain enterprise digital investments. And a Gartner forecast states worldwide IT spending will grow 3% in 2022.

The counterbalance to this positive trend comes from NewVantage Partners’ Data and AI Leadership Executive Survey 2022, which states only 26% of respondents claim to have reached their data goals. The gap between data winners and stragglers is widening.

Technology balance

One look at the Andreessen-Horowitz framework for the modern data infrastructure and you see data ecosystem complexity is becoming a nightmare to manage. The ability to properly secure this new smorgasbord of data platform choices increases the management challenge.

Andreessen-Horowitz framework for the modern data infrastructure

People balance

Until recently, data management and analysis was almost solely an IT function. Today, the business ranks are filled with similar skills with data stewards, data analysts, and data scientists tasked to build a data security governance platform. Meanwhile, CISOs, CIOs, and CDOs are thinking about compliance requirements and implementation. And IT has seen dwindling resources to cater to data consumers. While there are many positives regarding the expansion of data-related roles, it has also meant dwindling IT resources directly dedicated to data consumers, despite IT being tasked with servicing a growing data landscape.

Process balance

On-premises technologies have moved to the cloud, often in an à la carte, buy-as-you-go style, without significant forward-looking strategy. In addition, a stream of new regulations demands new processes to regulate and assure the responsible discovery, access, and use of data. Add to this the federation of our data expertise into the business functions, and organizations now require a scalable approach to data governance processes.

The growing cost of getting it wrong

While many proof points exist for the value of data and the positive impact, the cost of doing nothing or getting it wrong has gone somewhat unnoticed. Key considerations include:

The average cost of a security breach in 2022 is around $4.35m, compared to $3.8m two years ago (Source: IBM’s Cost of a Data Breach Report 2022).Regulatory fines, such as GDPR, are becoming real with companies such as Amazon and WhatsApp reporting multi-hundred-thousand-dollar fines.Analyst, data engineer, and data scientist productivity remains a major challenge as they continue to report 80% of their time is spent on finding and getting access to the right data, as well as cleaning that data.The intangible cost of delayed business decisions because the projects are on hold or severely impacted and delayed.Loss of consumer trust once confidence is broken due to mishandling of data, causing lasting damages to a company’s brand as well as severe financial repercussions.

Modernizing your data security governance thinking

Modernization starts with thinking differently about the approach to people, processes, and technology.

Modernizing data security governance technology: Security and data governance need to exist across every part of the data lifecycle. Maintaining that security posture on a point-by-point basis is simply not viable. A broad-based data security platform that will bring you a centralized data security control plane across your entire hybrid data estate is required.

Modernizing the roles of your data stakeholders: Key stakeholders have expanded beyond the traditional experts employed by IT. Data experts live in the business. Data scientists in the business team are embraced, but data governance stakeholders have yet to receive the formal recognition they deserve. The data owners are business people. Formalize security and data governance objectives early. Empower your business data stakeholders to perform those objectives in a scalable and automated manner.

Modernizing your data governance processes: Gartner speaks extensively of the evolution of data governance from dictated (IT command and control) to distributed (everything left to be performed at the edges of the process). Implement a blended model where the system is based on federated responsibilities with centralized control and auditability.

Unified data security governance

AWS, Snowflake, Databricks, Azure and Google continue to deliver more choices on their ecosystems, which offer more opportunities for your business. But more choices inherently increase the difficulty of enforcing security across this increasingly diverse landscape. The only way to future-proof your analytics along with your security and privacy posture is through a unified data security governance approach. Privacera was co-founded by the innovators who led the charge in creating Apache Ranger™, one of the most widely used open source data security and access control frameworks. As the only scalable data policy management solution based on open standards, Privacera offers a proven way to future-proof, while preventing vendor lock-in. Read more about the immense benefits of a data security platform based on open standards.

Data and Information Security

In today’s dynamic world of work from anywhere, organizations are experiencing new pressure points. IT and security leaders find themselves grappling with extended enterprises of employees, contractors, and suppliers remotely located across the globe using an expanded set of technologies. The broad adoption of cloud apps, platforms, and infrastructure has led to a complete re-thinking of access, governance, and security.

While remote, extended enterprises accessing cloud-based technology bring potential risks, it also offers significant upside for businesses. CIOs have recognized how strategic their organizations can be in driving business growth, productivity, and reducing complexity by pushing rapid technology adoption and creating seamless, secure, and simple authentication and authorization experiences for their broad workforces.

Collectively, these changes have emphasized the need for a more holistic identity-first approach to technology adoption, implementation, and security. Much of that starts with understanding who has access to what, when they received access, and who authorized that access. That technology domain has traditionally been known as Identity Governance and Administration (IGA), but as new ways of working collide with new security paradigms, those definitions are shifting and evolving to match modern enterprise IT environments.

This broad need for IGA capabilities is well-founded, as enterprises are recognizing the side effects of distributed and fragmented user bases and tech stacks: a sharp rise in orphaned accounts that are a major security risk and a resource drain, and a lack of control and visibility into cloud application security posture, lacking clear reporting of access and any time constraints.

The weakness of traditional IGA systems

As companies start shifting to an identity-first approach to security, IGA is becoming a more sought-after capability for organizations requiring better visibility of identity administration and access entitlements across their IT infrastructure. This is a major departure from traditional, compliance-driven models, as IGA is being seen more as an enabler rather than risk mediation.

Traditional IGA solutions are primarily solving a legacy problem and were not built to manage identities in cloud-first IT environments. They lack the ability to easily integrate to modern applications and are challenging to implement, often taking 12-18 months to deploy, requiring professional services, and considerable maintenance costs along the way. The outcome is too often that traditional IGA solutions are bolted on and left alone, resulting in non-updated software and potentially with greater security holes than before. To make matters worse, legacy systems are generally designed with a small subset of users in mind, with user experiences that make broad adoption and education a significant challenge.

In a world where cloud technologies have democratized access and adoption, IGA solutions should make it possible for more users within an organization to compliantly engage with applications either as an end user or as an authorizer, ultimately driving the business forward.

The modern approach to identity governance

As enterprises continue to adopt more cloud technologies and work in a distributed environment across a broad set of users, IGA must evolve to enable rather than disrupt modern enterprises. IT leaders need a cloud-native, enterprise-grade solution that is approaching identity governance not as a bolt-on solution, but as one that has been foundationally incorporated into a broader identity-first security posture. To keep pace with today’s speed of innovation and adoption, a modern solution must be deployed in days, and be easy to use and maintain. Lastly, a modern IGA solution must deliver a seamless and frictionless experience for the workforce and help boost the productivity and agility of its IT organization.

Okta’s cloud-first approach to identity governance

As the first born-in-the-cloud identity provider, Okta has taken its modern approach to identity and access management (IAM) and applied it to IGA with Okta Identity Governance, which is now generally available. Okta Identity Governance is part of Okta’s broader workforce identity vision, unifying IAM and IGA to improve enterprises’ security posture, helping them mitigate modern security risks, improve their IT efficiency, and meet today’s productivity and compliance challenges.

Deeply integrated into Okta’s existing IAM solutions, Okta Identity Governance provides an unparalleled comprehensive view of every user’s access patterns. Enriched user context allows reviewers to not only simplify the access certification process, but also make informed decisions about user access ensuring only the right people have access to right resources. It meets users where they are by providing easy to use self-service access request capabilities, tightly integrated with collaboration tools built on a converged IAM and Governance solution, automating the provisioning of access to an enterprise’s applications and cloud resources.

With a network of 7,000+ pre-built integrations, Okta Identity Governance can provide intelligent and easy to use identity governance capabilities with the ability to automate complex identity processes, at scale.

Analyst firms and the federal government have agreed on the broad, foundational role identity plays in securing today’s organizations. Identity is the number one pillar of zero trust architecture, and that approach is built on the principle of least privilege with identity governance serving as a critical component. As organizations continue to adopt a zero trust framework, they are starting to realize the importance of moving away from a distributed identity architecture to a unified approach. Okta’s unified platform extends access and identity administration to include the key access governance tools that modern organizations need to mitigate modern security risks and improve IT resource efficiency. 

To learn more about Okta Identity Governance, visit the Okta blog.

About the Author

Paresh Bhaya is the Senior Director, Product Marketing for Identity Management business at Okta. He has been in the security industry for 10+ years and has experience in all phases of product development and marketing. He is passionate about security and you can always find him chatting about some deep security problem. Prior to Okta he was leading the Product Marketing efforts at Salesforce and worked at successful startups before that. He has an M.S. in Electrical Engineering from University of Texas.

Security

In today’s dynamic world of work from anywhere, organizations are experiencing new pressure points. IT and security leaders find themselves grappling with extended enterprises of employees, contractors, and suppliers remotely located across the globe using an expanded set of technologies. The broad adoption of cloud apps, platforms, and infrastructure has led to a complete re-thinking of access, governance, and security.

While remote, extended enterprises accessing cloud-based technology bring potential risks, it also offers significant upside for businesses. CIOs have recognized how strategic their organizations can be in driving business growth, productivity, and reducing complexity by pushing rapid technology adoption and creating seamless, secure, and simple authentication and authorization experiences for their broad workforces.

Collectively, these changes have emphasized the need for a more holistic identity-first approach to technology adoption, implementation, and security. Much of that starts with understanding who has access to what, when they received access, and who authorized that access. That technology domain has traditionally been known as Identity Governance and Administration (IGA), but as new ways of working collide with new security paradigms, those definitions are shifting and evolving to match modern enterprise IT environments.

This broad need for IGA capabilities is well-founded, as enterprises are recognizing the side effects of distributed and fragmented user bases and tech stacks: a sharp rise in orphaned accounts that are a major security risk and a resource drain, and a lack of control and visibility into cloud application security posture, lacking clear reporting of access and any time constraints.

The weakness of traditional IGA systems

As companies start shifting to an identity-first approach to security, IGA is becoming a more sought-after capability for organizations requiring better visibility of identity administration and access entitlements across their IT infrastructure. This is a major departure from traditional, compliance-driven models, as IGA is being seen more as an enabler rather than risk mediation.

Traditional IGA solutions are primarily solving a legacy problem and were not built to manage identities in cloud-first IT environments. They lack the ability to easily integrate to modern applications and are challenging to implement, often taking 12-18 months to deploy, requiring professional services, and considerable maintenance costs along the way. The outcome is too often that traditional IGA solutions are bolted on and left alone, resulting in non-updated software and potentially with greater security holes than before. To make matters worse, legacy systems are generally designed with a small subset of users in mind, with user experiences that make broad adoption and education a significant challenge.

In a world where cloud technologies have democratized access and adoption, IGA solutions should make it possible for more users within an organization to compliantly engage with applications either as an end user or as an authorizer, ultimately driving the business forward.

The modern approach to identity governance

As enterprises continue to adopt more cloud technologies and work in a distributed environment across a broad set of users, IGA must evolve to enable rather than disrupt modern enterprises. IT leaders need a cloud-native, enterprise-grade solution that is approaching identity governance not as a bolt-on solution, but as one that has been foundationally incorporated into a broader identity-first security posture. To keep pace with today’s speed of innovation and adoption, a modern solution must be deployed in days, and be easy to use and maintain. Lastly, a modern IGA solution must deliver a seamless and frictionless experience for the workforce and help boost the productivity and agility of its IT organization.

Okta’s cloud-first approach to identity governance

As the first born-in-the-cloud identity provider, Okta has taken its modern approach to identity and access management (IAM) and applied it to IGA with Okta Identity Governance, which is now generally available. Okta Identity Governance is part of Okta’s broader workforce identity vision, unifying IAM and IGA to improve enterprises’ security posture, helping them mitigate modern security risks, improve their IT efficiency, and meet today’s productivity and compliance challenges.

Deeply integrated into Okta’s existing IAM solutions, Okta Identity Governance provides an unparalleled comprehensive view of every user’s access patterns. Enriched user context allows reviewers to not only simplify the access certification process, but also make informed decisions about user access ensuring only the right people have access to right resources. It meets users where they are by providing easy to use self-service access request capabilities, tightly integrated with collaboration tools built on a converged IAM and Governance solution, automating the provisioning of access to an enterprise’s applications and cloud resources.

With a network of 7,000+ pre-built integrations, Okta Identity Governance can provide intelligent and easy to use identity governance capabilities with the ability to automate complex identity processes, at scale.

Analyst firms and the federal government have agreed on the broad, foundational role identity plays in securing today’s organizations. Identity is the number one pillar of zero trust architecture, and that approach is built on the principle of least privilege with identity governance serving as a critical component. As organizations continue to adopt a zero trust framework, they are starting to realize the importance of moving away from a distributed identity architecture to a unified approach. Okta’s unified platform extends access and identity administration to include the key access governance tools that modern organizations need to mitigate modern security risks and improve IT resource efficiency. 

To learn more about Okta Identity Governance, visit the Okta blog.

About the Author

Paresh Bhaya is the Senior Director, Product Marketing for Identity Management business at Okta. He has been in the security industry for 10+ years and has experience in all phases of product development and marketing. He is passionate about security and you can always find him chatting about some deep security problem. Prior to Okta he was leading the Product Marketing efforts at Salesforce and worked at successful startups before that. He has an M.S. in Electrical Engineering from University of Texas.

Security

What’s one way to get CIOs griping and venting about their data strategies? Ask them how successfully they get their business users to migrate off their mega spreadsheets and onto data visualization and other self-service business intelligence platforms.

Then, ask chief data officers (CDOs) how hard it is to lead data governance programs that include more support for citizen data scientists who want to integrate, prep, analyze, and share insights over a growing number of data sets.

I ran a workshop at CIO’s recent Future of Work Summit on governing citizen development programs that leverage no-code and low-code platforms. I elected to focus on citizen data science, knowing that many CIOs and CDOs look for advice to build data governance into these programs. After writing two articles for InfoWorld, one on how spreadsheets are killing your business and another on replacing spreadsheets with business workflows, I was anxious to hear the challenges from the IT and data leaders in attendance.

Full disclosure, I know a thing or two about developing center of excellence programs in citizen data science and rolled out my first programs as a CIO over a decade ago. I share some of the stories and lessons in my new book, Digital Trailblazer, in the chapter on “Buried in bad data.”

Survey says!

I ran a quick survey during the workshop to get a sense of attendees’ challenges and perceptions around  citizen data science. And although the sample size of 60 respondents is too small to support any conclusions, the survey suggests that these IT leaders are still in the early stages of rolling out citizen data science programs:  

When asked to pick the top two ways business departments typically view data, respondents pointed to spreadsheets they develop themselves (53%) and automated reports managed by IT and data teams (43%). Forty-three percent said self-service BI was among the top ways business departments view data, but just of them 13% said their self-service BI had strong governance.The group reported the functions having the most to gain and are the least served with data analytics are customer experience at 35% and product development at 28%. One question asked for the top three challenges getting collaboration between business, data specialists, and technologists around data-driven practices. The top answer (reported by 40% of respondents) was that business leaders just want IT to fix the data and deliver reports.

Data visualization and prep tools went mainstream ten years ago, so this apparent lack of progress is far from encouraging. To get things moving in the right direction, IT and data leaders must ramp up data governance programs that support citizen data science efforts.

Turn compliance risks into citizen data science force multipliers

The problem with spreadsheets is that they were rolled out to business users well before there were data governance practices. Business analysts downloaded data sets, created multiple spreadsheets, and emailed them to colleagues. Today, replace spreadsheets with your favorite data visualization tools and if left ungoverned, you could end up with even bigger problems.

Problems include:

Sharing private and confidential information and creating compliance risks;Leaking information to unauthorized people outside of the organization;Misunderstanding data definitions and making wrong decisions based on assumptions;Sharing analytics and insights without testing the algorithms and validating results;Building visualizations without standards or style guidelines, thus making it more difficult for employees to understand the results.

Of course, today the risks are magnified because most enterprises analyze big data sets, use multiple analytics tools, and develop custom code for proprietary machine learning models. Analytic models are used across the organization for revenue-generating activities and operational efficiencies, and mistakes can be costly. Data governance aims to address the compliance requirements, knowledge gaps, and data quality goals that can turn risk into an accelerating force in citizen data science programs.

Where to start with proactive data governance

The primary drivers behind many data governance programs are compliance and security requirements, but proactive data governance aims to achieve those objectives while also enabling the data-driven organization. These programs define transparent data access and usage policies so that it’s clear who can use what data sets for their analysis. Data catalogs are updated whenever an analysis or visualization includes new formulas, segments, and other parameterizations. There are ongoing efforts to reduce data debt, improve data quality, and automate data integrations. Dashboards, analytics, and machine learning models are versioned and have a support lifecycle defined.

Failure or falling behind in creating these data governance practices and this generation of citizen data science analytics will look just as bad as last decade’s mega spreadsheets.

Business Intelligence, Data Governance, Data Visualization