For years, RSA has served as a trusted advisor to organizations working through their own digital transformations. Now that we’re independent, we’re relying on the same people, solutions, and processes that we provide to others to address our own challenges. Think about the excitement in building out a new, purpose-built, IT stack to support the business and manage digital risk. Systems, including ERP, HR, Finance, CRM and more need to be stood up and protected.
The good news is that we don’t have to go any further than our own shelves for the technology and services to support our mission of reducing business and identity risk. One of the ways we’re doing that is by addressing identity governance – gaining visibility into who has access to what and discovering how that access is being used. For years, we’ve advised others that identity governance is a critical component to an overall Identity and Access Management strategy; now we’re re-creating that strategy for our own team.
A View from the Trenches
I recently spoke with Kelly Sarber, RSA’s new CISO, for her thoughts on what key elements go into developing a strategy to protect the business, our users, and other critical assets. RSA is taking a business-driven approach to Identity. Here is a summary of some of Kelly’s thoughts:
Aubel: This is an exciting time for you! Can you describe your high-level approach to a modern identity and security model?
Sarber: RSA is going through its own digital transformation and with that there is a strong focus upon identity at the core of our security program. I view it as a foundational element to truly understand how information is accessed and how data is leveraged across the enterprise. Users continue to be at the center of the attack surface, so we must be thoughtful and purposeful with our we implement our identity capabilities aligned with our business process needs.
Aubel: From an architectural view, what is your IT solution delivery model?
Sarber: Since we have this unique opportunity with RSA, where we are completely reimagining and adopting the latest technology to drive the business, it will include a combination of solutions that we run inside our own cloud infrastructure as well as with SaaS partners.
Aubel: How do people, process and automation come into play when you consider starting from a clean Identity slate, especially considering the new remote workforce model?
Sarber: When it comes to our overall identity strategy, we have a significant opportunity to partner with IT and the business to understand processes and design strong identity from the beginning. It’s a unique opportunity to be both building our internal Identity program at the same time as designing key business processes. The remote workforce only encourages to adopt the latest Identity mindsets and develop a comprehensive set of Identity and Access solutions that do not heavily rely on traditional “must be on protected network” access controls.
Another focus for us is that we have the unique opportunity to prioritize the automation of processes from the start and take on a digital mindset within the ecosystem. For me, when there are humans in the loop, it injects more risk, and automation activities help us manage that human element. Also it further reinforces our overall digital strategy. I am very fortunate to have the thought leadership and execution experience of the RSA product and services team behind my internal security resources as we go on this business-driven identity journey.
Establish Strong Identity and Access Governance
Because nearly every organization is continuing to increase remote access to open networks, strong access governance is essential to maintaining control and accountability. As organizations implement these changes, some staff may have increased or changed duties and require access to new applications and resources. Regular access and entitlement certifications become necessary to deliver continuous compliance and ensure that only the right people have access to the right applications, data and IT resources. Policies and rules –such as segregation of duties and least privilege access – need to be established and enforced, with reporting and dashboards put in place to ensure compliance. In addition, a sound Joiner, Mover, Leaver policy can prevent over-privileged users and entitlement sprawl, while diligent access governance can help identify and remediate issues and turn visibility into action.
RSA Identity Governance and Lifecycle can help simplify access governance, by automating the monitoring, certification, review and remediation of entitlements to make sure that the enterprise is meeting compliance requirements. Using risk-based analytics, the solution can help identify risks like overprovisioned and orphaned accounts and users. It also prioritizes riskier access so teams can address it first.
Everyone knows that the newly independent RSA has decades of experience and an unfair advantage when it comes to rolling out identity and access management infrastructure to support digital transformation. Give your enterprise that unfair advantage. Learn more about Identity and Access Management.