Cyber attackers are growing more and more sophisticated, and they are increasingly turning their focus to areas of highest risk, including critical infrastructure like utilities. In today’s cybersecurity landscape, hackers are focused on gaining access to utilities’ computer networks in order to conduct “network reconnaissance” on the industrial control systems that run the electricity grid, and the potential for damage cannot be ignored or underestimated.
Most often, hackers gain access through legitimate user accounts discovered via attacks on an organizations’ employees and third-parties, such as contractors. Like most organizations, great security begins with a utility company’s staff. Tightly managing and controlling their access to applications and data is critical to ensuring a secure, smooth-running organization.
At the heart of the challenge is understanding who has access to what information and managing what they can do with that access. Enter identity governance. An identity governance program offers extensive benefits for utility companies when it comes to security, efficiency and compliance. Here are a few examples of these benefits and examples of how they can be utilized within your organization:
Visibility into Who Has Access to What
Consider the churn associated with onboarding and offboarding employees. Managers need to onboard new employees, manage user access of existing team members and contractors, and revoke the access of employees who have left the company for any reason. Given the complexities involved with managing this churn, it’s easy to see how, without the proper oversight, individuals might gain access to data that they should not be permitted to have. This is where an identity governance program comes in. Identity governance provides visibility into who can access data or an application, and under what circumstances they can do so.
You can think about identity governance in terms of physical security. For instance, you might give a contractor a badge to enter the front door of the plant, but you would never give them free reign to roam the premises and access anything they wanted beyond the “perimeter” in which they are allowed. The badge you’ve provided only allows them to get inside the building and work on their assigned project – it does not give them permission to open up laptops, sift through files or enter areas outside of where they are designated to work. To govern that contractor’s building access, proper controls are put into place on the back end to only allow that contractor to enter pre-approved areas of the plant. Similarly, an identity governance program ensures that IT administrators have an understanding of who has access to what when it comes to applications and data, versus merely being able to grant them access to the data and applications they need to do their jobs without any governance of how they’re using that access.
Managing Data Stored in Files
Many organizations also have a blind spot when it comes to managing access to sensitive data that resides in files like documents, spreadsheets and presentations. The inability to manage access to this kind of sensitive data – whether it exists in file storage systems in the cloud (e.g,. Box, DropBox, OneDrive, etc.) or on-premises in your data center, presents serious security and data breach risks. By extending identity governance to data stored in files, companies can secure this data by first discovering and classifying what sensitive data exists critical file storage repositories. Second, organizations can then analyze permissions across these repositories to understand how the file and folder access was granted. From there IT departments can easily put effective controls in place to manage the access to this sensitive data and protect it from potential malicious behavior, ultimately reducing risk.
Automation of Administrative Tasks
An identity governance program also helps to automate many of the manual administrative processes to grant, modify and remove user access that are often time-consuming, costly and more error prone. As utility companies undergo digital transformation throughout their organization, it’s important that these administrative responsibilities transform as well.
By leveraging identity governance, utility companies can automate the lifecycle of user access that includes management of roles, accounts, entitlements and passwords. Automation and self-service from critical identity governance capabiliites like provisioning, access requests and access certifications organizations can reduce the time it takes to onboard and offboard employees, freeing up time for IT administrators to focus on areas of more strategic value or higher risk without sacrificing security.
Meeting Federal Regulations
An additional benefit to having insight into who has access to what lies in increased oversight into how regulatory requirements are being met. Identity governance can put preventive and detective controls in place to ensure access complies with critical regulatory mandates.
Groups such as the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) impose strict compliance regulations for the industry. It’s important for utility companies to be able to assure these regulatory boards that their operations are safe and reliable – from both a material handling and security standpoint. Failure to comply with regulatory guidelines can result in steep fines or even interruptions in day-to-day operations. Having full visibility into user access can help utility companies achieve compliance and avoid unnecessary interruptions in business or costly fines.
With an identity governance program in place, organizational leaders can help to mitigate risks threatening their facilities by having centralized and detailed insight into user access to critical applications and data. The benefits of a robust identity governance program can have a significant impact on the security of an organization, and also help to increase efficiencies and meet compliance regulations.
When you boil it down, organizations need to have complete visibility into who has access to what within their organization, and what they’re doing with that access, so they can keep their critical systems and data secure. In today’s world, organizations need to be proactive when it comes to security, as sophisticated cyber attackers pose a constant threat to utility companies. Having an identity governance plan in place is the first step to protecting against these attacks.
About the author: Rick Weinberg is vice president of product management at SailPoint.