Sustainable Development for Digital Transformation Through Identity Governance and Administration, Part 2

  ISACA Journal Podcast:  Using COBIT for Effective Digital Transformation

Increasingly, organizations connect their on-premises infrastructures to cloud-based technologies, both from a Software-as-a-Service (SaaS) and an overarching infrastructure perspective. While organizations have developed strategies for securing data privacy and security for their on-premise environments, their adoption of cloud-based technologies to streamline business operations changes their ability to control user access to resources. Cybersecurity professionals refer to the cloud as ephemeral when, in some ways, it is more organic. With constantly growing and changing cloud-based initiatives, organizations need to move beyond static role-based access controls that limit their agility. As organizations move toward adopting digital transformation initiatives (e.g., migrating their business-critical operations to the cloud), the new risk associated with, for example, cloud security, also grows and changes. Integrations between applications streamline business operations and create an interconnected digital ecosystem. The digital ecosystem, much like the physical one, requires a delicate balance. Just as a single chemical spill creates environmental pollution, data leakage pollutes the digital ecosystem. Moving away from on-premises, tightly controlled IT infrastructures pushes the security perimeter away from systems and networks, moving it to identity and access. The 2019 Verizon Data Breach Investigations Report supports identity as the new perimeter as well, noting that system administrators accounted for an increased number of threat actors, and that privilege abuse was the primary internal actor cause of data breaches.¹ With identity as the new data privacy and security perimeter within cloud ecosystems, COBIT 2019² can act as a framework for establishing a complex adaptive identity and access program that supports cybersustainability.

The Need for Predictive Access

Complex, interconnected cloud architectures mimic environmental ecosystems. In the physical world, each organism depends on the others to maintain the habitat. The coral reef, for example, provides a home for algae, while the algae provide nourishment to the coral. In the same way, organizations adopting digital transformation provide revenue for their technology partners, while those partners streamline business operations. These symbiotic relationships not only provide a parallel between the environmental movement and digital transformation, but they highlight the importance of incorporating sustainable strategies for technology adoption. Cybersustainability can be defined as:³

• Adopting/maturing digital transformation strategies
• Establishing access and governance policies that promote cyberhealth
• Continuous monitoring to maintain data privacy/security
• Communicating across stakeholders
• Promoting operational resiliency

With identity as the new perimeter, digital transformation strategies need to treat identity governance and administration (IGA) as the foundation for their data privacy and security programs rather than as a value add supplementing their external vulnerability pursuits. In a 2018 paper on access policy control, researchers explained,

[the] access control (AC) system will therefore need to adapt dynamically to incorporate risk assessment into the access control process…a main result of these trends is a move away from the traditional perimeter based security model.⁴

Whether realizing it or not, the researchers embraced cybersustainability when focusing on the shift from external security to access enforcement. By discussing the importance of a dynamic, adaptive access system, they acknowledge the organic nature of the new perimeter—identity.

Problematically for cybersustainability purposes, the adaptive access model only partially responds to the key components of both cybersustainability and the complex adaptive systems model applied to digital transformation. Figure 1 aligns the primary components of cybersustainability to adaptive access control and predictive access as tools for incorporating CAS theory to digital transformation.

While adaptive access control applies to complex adaptive systems theory in name, it focuses only on decisions related to real-time authorization to a system. Organizations looking to create digital transformation strategies aligned with cybersustainability should seek to incorporate predictive access to mitigate risk arising from excess access within their infrastructures.

Predictive access controls focus on risk-based policies and entitlements that enable organizations to prove governance of the data privacy and security postures. Predictive access protects data privacy and security in real time, regardless of location. As users request access to the new resources necessary to fulfill their job functions, predictive access uses peer-based and usage-based analytics that align with policies. These predictive access controls go beyond authenticating the identity to ensuring that the authenticated identity should be accessing the resource. While adaptive access streamlines authentication as users access IT ecosystems from different locations, predictive access controls act as a proactive strategy that supports cybersustainability as a complex adaptive system by protecting access to resources within the cloud ecosystem to ensure that users have the right access to the right resources at the right time.

Working within the cloud, predictive access analytics uses big data to incorporate more context for these identities providing detailed, fine-grained entitlements across all collaborative and cloud-native applications to ensure continuous monitoring of continuous assurance.

Complex Adaptive Systems and Risk-Based Compliance

In the physical environment, complex adaptive systems respond to new patterns arising from new ideas, interactions and interrelationships. Similarly, cybersustainability requires organizations to adapt to new threats and new risk factors. Continuous monitoring over the organization’s ecosystem, as viewed traditionally, focuses on external threats. However, as privilege misuse and system administrator risk increasingly impact data privacy and security, organizations need to begin focusing on creating adaptive identity and governance programs grounded in continuous monitoring and new risk.

Risk-based industry standards and regulatory compliance requirements align with this need to embrace complex adaptive system theory. The principles of emergence, co-evolution and path dependence all inherently integrate risk. For example, in the physical environment, an animal’s adaptation to the ecosystem often arises out of a new risk, such as London’s moths changing color after the Industrial Revolution to remain hidden from predators.⁵ In the same way, risk-based compliance requirements that incorporate continuous risk monitoring seek to respond to new data threats and promote adaptation through an iterative risk-response-mitigation process.

COBIT 2019 addresses variation from one organization to the next. Specifically, the COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution⁶ notes that management objectives set the design, but that the various factors then feed back to the capability levels. Using COBIT 2019’s iterative risk-respond-mitigate-monitor cycle as a framework for IGA in on-premises, hybrid and cloud ecosystems, organizations can focus on the new perimeter with an adaptive compliance standard that enables stronger cybersustainability.

COBIT 2019: A Compliance Framework for Cybersustainability

COBIT 2019 provides a way for organizations to incorporate cybersustainability while ensuring that they appropriately secure access, monitor effectiveness and prove the benefits of their program to management. As described in the COBIT 2019 Framework: Governance and Management Objectives,⁷ its core objectives and Evaluate, Direct and Monitor (EDM) EDM02 Ensure Benefits Delivery, establish the framework as a model that can be used to promote cybersustainability. Figure 2 aligns COBIT 2019’s EDM02 with environmental sustainable development theory and cybersustainability.

COBIT 2019 is a framework rooted in providing economic value while promoting communication across stakeholders regarding policies that enable cyberhealth, continuous monitoring and operational resiliency. Organizations using it can create policies, processes and procedures today that can later adapt to new risk factors, thus advancing cybersustainability.

COBIT 2019: Creating Complex Adaptive Systems for Identity Governance and Digital Transformation

Establishing COBIT 2019 as a framework that aligns with cybersustainability principles requires bringing together the key tenets of the environmental principles and aligning them with specific COBIT 2019 guidelines.

Applying complex adaptive systems theory to the workflow, COBIT 2019 engages the key principles of CAS as applied to digital transformation as seen in figure 3.

Finally, applying complex adaptive governance to the workflow, figure 4 shows what COBIT 2019 can enable.

COBIT 2019: Creating Cybersustainable Identity and Access Processes

Delving deeper into COBIT 2019, the framework supplies a workflow that supports cybersustainability for managing access and identity across on-premises, hybrid and cloud ecosystems. With identity as the new perimeter, organizations using the COBIT 2019 framework can establish flexible IGA programs that help secure identity and access.

Figure 5 highlights the iterative and adaptive nature of identity governance within COBIT 2019.

The continuous monitoring over access controls in conjunction with the requirement to continually improve processes establishes a risk-based approach to IGA. This risk-based approach, when applied to CAS theory, further reinforces the COBIT 2019 framework as one that enables cybersustainability as outlined in figure 6.

Aligning with complex adaptive theory as redefined for cybersustainability, COBT 2019’s access workflow acknowledges and responds to identity’s shifting, dynamic nature across on-premises, hybrid and cloud ecosystems. Interconnected cloud infrastructures create complex definitions of identity that require predictive access. COBIT 2019 addresses the need to continuously monitor access controls and continually improve processes. Using predictive access controls, organizations can close the feedback loops to meet COBIT’s requirements.

COBIT 2019: Adaptive Governance for Cybersustainable Identity and Access Policies

Having situated COBIT as a framework that enables cybersustainability, organizations using it need to establish programs and processes. Traditional approaches to identity governance lack the flexibility to meet evolving identity governance needs as organizations incorporate new technologies. COBIT 2019’s introduction outlines four principles underlying its methodology:

1. Flexibility and openness
2. Currency and relevance
3. Prescriptive application
4. Performance management of IT

These four underlying principles, when combined with IGA, reinforce the way in which COBIT enables organizations to create cybersustainable identity and access programs that incorporate governance and auditability (figure 7).

Of note, when reviewing COBIT 2019 as a complex adaptive system, the framework’s requirements for IGA easily fit into a single key theory component. However, when viewing COBIT 2019 through the lens of adaptive governance, the individual requirements align in a more fluid manner. For example, viewed as a complex adaptive system, COBIT’s requirement for authorizing access is a function of emergence—the interconnected nature of a complex adaptive system. However, viewed through the lens of adaptive governance, the requirement for authorizing access aligns with two principles from figure 6: “networks” and “institutions, adaptation and social learning.” This fluidity highlights the difference between the system itself and creating policies that govern the system. As complex adaptive systems, in this case IT infrastructures, evolve along a path dependency, policies and governance need to be dynamic rather than static.

Creating Sustainable Privacy and Security With COBIT 2019

Complex adaptive systems for IGA need to incorporate a variety of new technologies that provide greater insight into how users access data, where they access data, and the risk factors that arise from embracing these new technologies and capabilities. Legacy solutions limit sustainable cybersecurity practices as they often lack the ability to manage dynamic, evolving identity and access needs. To meet the organic demands of the cloud, organizations need predictive technologies that provide insight into their access and use as they shift their threat detection mentalities to make their core focus people—the new perimeter.

Dynamic Transformation, Dynamic Identity, Dynamic Risk
People and the cloud share a dynamic nature, both of which come with inherent risk. Legacy solutions can provide rules and monitor point-in-time compliance, but the cloud’s organic nature is only managed through dynamic intelligent analytics and context for those rules. Even with these inherent and dynamic angles, static factors cannot be ignored when calculating risk.

For example, granting a user application access can lead to data integrity issues associated with the “everyone with a link” sharing risk. Fine-grained, or detailed, access permissions that limit access to read or write access mitigate these excess access risk factors.

Thus, organizations need to incorporate modernized analytics that provide predictive access to address true organizational risk as shown in figure 8.

Continuous Monitoring, Continuous Visibility, Continuous Sustainability
Increasing technology to enable compliance obfuscates the overarching view of access and identity, ultimately leading to noncompliance arising from human error across platforms and services. Organizations also need automation to streamline continuous monitoring and documentation processes to create a more robust IGA compliance program and meet the iterative nature of COBIT 2019 compliance. Traditional reports and application-level coarse-grained controls provide little insight, which leaves organizations at risk. For example, role-based access to an application provides access for all users with a similar job function. Organizations need detailed, context-driven entitlements to limit access within the application. The additional context creates a frictionless user experience, while predictive access analytics can prevent SoD violations.

Digital transformation sustainability relies on continuous visibility and monitoring. Organizations need architectures and tools that allow them to control access and streamline operational workflows. Moreover, they need tools that provide auditors with the appropriate documentation. Incorporating intelligent analytics as part of continuous monitoring activities strengthens the organization’s cybersecurity posture and, thus, its compliance posture as shown in figure 9.

Creating a Fully Sustainable Digital Ecosystem

Although digital transformation enables globalization of business practices, digital transformation security needs to begin at the individual level. Digital transformation strategies increase the number of identities—individuals and applications—that access resources. To create a sustainable digital ecosystem, organizations need digital tools that match the elasticity and velocity of the cloud to promote better organizational hygiene across disparate cloud-based systems and applications. With identity as the new perimeter, cybersustainability needs to include technologies that promote predictive access in ways that can evolve with the new risk arising from digital transformation, such as excess access within a cloud ecosystem. Maintaining data privacy and security as part of a cybersustainable cloud migration strategy, therefore, must start with the principle of least privilege and maintain monitoring to limit privilege misuse.

Endnotes

¹ Verizon, 2019 Data Breach Investigations Report, USA, 2019,