SailPoint 堅信，每個企業都需要透過無與倫比的智能技術保護所有身分的安全，以流暢無阻的自動化提升員工工作效率，並藉由全面整合來連接組織的整體基礎架構。SailPoint 的創辦人兼執行長 Mark McClain 與產品執行副總裁 Grady Summers 在以下頂尖的業界出版刊物中發表了他們的看法。

WSJ: 網路罪犯正伺機盜取您的數位身分 

作者：Mark McClain 

我們在過去幾年間目睹多起破紀錄的資安事件，其中不乏利用組織薄弱且已曝光密碼成功獲取暴利的案例。不幸的是，這類攻擊手法早已司空見慣。惡意人士屢屢得手，竊取個人身分識別資訊，藉此滲透企業網路並造成嚴重後果。 

Forbes: 身分安全：企業不可或缺的核心要素 

作者：Mark McClain 

在現代世界中，人、科技和企業密不可分。時刻確保這三個連動元素的接點安全無虞，已經成為眾人皆知的共識。然而，絕大多數的大型企業擁有高達數千或甚至是數十萬個「身分」，涉及員工、約聘人員和各種機器。組織優先關注身分安全，以全面提升員工工作效率並守護其安全，現在正當時。

Forbes：現今身分安全的核心是什麼？ 

作者：Grady Summers 

許多組織在為身分施以保護時，試圖利用試算表等手動程序，或內部開發的解決方案，後者不但技術過於老舊，其規模和架構早已不敷今日現代企業所需。這些方法在當今日新月異的世界中已寸步難行。企業需要的是直擊身分安全核心的解決方案。 

深入瞭解 SailPoint 的身分安全核心承諾。

The post 身分安全的核心要素 appeared first on SailPoint.

如果您和我固定洽談的其他資安長一樣，那麼您大概碰到了許多與迅速採用雲端服務相關的急迫議題。雲端與 SaaS 的成長已隨著資訊技術的消費化加速。使用者已經習慣下載及使用來自雲端的應用程式與服務，在工作上幫助自己，不過常常未取得 IT 部門明確的核准。SaaS 本身的商業模式仰賴終端使用者的採用。現在有工程師與行銷人員組成團隊，打造透過免費試用帶動「產品導向式成長」的平台，驅動產品黏著度，鼓勵使用者邀請等等。

數位轉型加速和員工廣泛轉型為遠端工作進一步推動了 SaaS 應用程式採用大規模成長。許多資安長認為影子 IT 的問題只是業務上的另一項成本，這其實讓問題更加惡化。我們的部落格有更多影子 IT 的相關內容。我讀過的某些報告中，專家估計有 80% 的員工承認自己工作上會使用未經過 IT 部門核准的 SaaS 應用程式。

Gartner 的資料顯示，影子 IT 佔大型企業整體 IT 支出高達 30% 至 40%。這表示您的 IT 預算有將近一半都花在讓團隊與業務單位購買 (以及使用) IT 部門不知道的工具上。許多未經核准的軟體與服務在功能上可能和獲得核准者一模一樣，也就是說貴公司使用經費的效率不彰。這對整體營收有何影響呢？雖然各個產業的影響都不一樣，不過 Deloitte Insights 近期的研究顯示，平均來說，公司會將營收的 3.28% 花在 IT 上。金融與證券公司的花費最多 (7.16%)，營建公司最少 (1.51%)。       

此外，由於工具未經過妥善審查，影子 IT 更有可能造成安全與合規性的複雜問題。風險之中包含缺乏安全性導致資料外洩。您的 IT 團隊無法確保未核准軟體或服務的安全，也沒辦法有效管理並執行更新。Gartner 預測，到了 2022 年時，針對企業攻擊得逞的事件將有三分之一是針對企業的影子 IT 資源。如果以 Ponemon 提出的外洩平均成本 (386 萬美元) 與每年外洩平均機率 (27.2%) 為準，影子 IT 在外洩相關的風險成本上，每年可能會花費您高達 350,000 美元。

您如何追蹤 SaaS 足跡？我說的不是企業的核心應用程式，而是所有足跡。如果您是用試算表追蹤，也有人跟您用同樣方法。不過，現實是這種方法無法掌控全面可見性。試算表只能追蹤一小部分足跡，只要更新，就會過時。這種方法浪費時間，也非常不準確。

讓我說明一下這種方法對您有何影響…

大家都聽過這些故事。有位財務主管透過雲端檔案儲存應用程式，與外部人員共用根資料夾。這種做法在不經意之間讓外部人員可以存取本來絕對不會公開或共用的財務明細。薪資表、損益表等資料全都不慎曝光。此外，這位財務主管的團隊檔案、資料夾、討論都被完整公開，不再是僅供內部使用的唯讀檔案，這使得搜尋引擎可以用財務檔案與其他敏感資訊建立索引。這個情境中，是誰的錯？不是財務主管…而是資安長與資訊長。

或是換一種情形，公司在不知情的狀況下，有多達五個 (或以上) 相同的專案管理應用程式運作著，這些程式在公司裡四處使用著，不在 IT 的管轄範圍內。這種現象會造成龐大的預算重疊與安全弱點，其他應用程式裡可能儲存了多少敏感資料呢？我可以用個人經驗肯定，這種情形太普遍了，您的公司甚至也有可能發生。

公司讓影子 IT 和 SaaS 存取風險顯露無遺，並且掌握未受管治 SaaS 應用程式完整範疇的深度可見性後，就能每年省下數十萬美元。這種方法讓公司得以實施從搜尋到管治旗下整個 SaaS 應用程式態勢的流暢程序，針對每個新找到的 SaaS 應用程式 (以及其中資料) 推出妥善的安全控管措施，進而消除整個企業裡的影子 IT 問題。

目前預估，到了 2022 年時，將近 90% 的組織將幾乎完全依賴 SaaS 應用程式執行業務。在這個 IT 新時代裡，若想徹底保護今日的雲端企業，唯一的方法就是先找出所有隱藏的 SaaS 應用程式，再實施其他重要業務應用程式已經施行的管治控制措施。只有 SailPoint 能幫助您實現這點。SailPoint 是身分安全領域的領導者，幫助組織讓未經管治的 SaaS 應用程式顯露無遺，再實施正確的安全控制措施，確保只有正確的人員才能存取這類應用程式。我們的成果之一是幫助 IT 團隊快速找出這類 SaaS 應用程式並加以管治，提供必要的可見性與情報，以瞭解存取權限擁有者的身分、權限使用方式，並且移除或修改過度佈建或不需要的存取權限。有了 SailPoint，您不僅能減輕 SaaS 風險並改善合規性，還能最佳化授權成本並消除 IT 支出上的浪費。

The post 資安長與資訊長為何需要重新思考 SaaS 管理方式 appeared first on SailPoint.

Speed vs. security. It’s the eternal struggle for every organization. How do you empower your employees by giving them the latest tools to work faster and more collaboratively while still protecting business assets? How do you drive innovation without also increasing risk?

That’s the question at the heart of SaaS Management, something every enterprise is grappling with as companies make the move to a cloud-first environment. Because, organizations are realizing that a massive increase in SaaS usage is also leading to a dramatic spike in cyberattacks. Phishing activity is up an astounding 42% over the last year, a clear sign that cybercriminals are relentlessly taking advantage of vulnerabilities found in SaaS apps and seeking to exploit missteps by careless employees.

Stolen or compromised credentials, in fact, have become the most frequent cause of data breaches as well as the most damaging, with the average breach now costing a company more than $4.7 million. This is why SaaS Management has become so critical, as it’s essential for organizations to get complete visibility into every identity across their organization. It’s the only way to have a cybersecurity program that’s truly comprehensive, because you can’t protect what you can’t see.

Enter the Maturity Model

So how can companies begin the process of surveying their SaaS landscape, evaluating risks, and determining a path forward? Here’s a model we’ve found to be pretty typical that illustrates the phases of SaaS Management maturity across four key dimensions: visibility, usage data, security, and optimization.

Moving upwards within each category, there is a clear progression from manual and sporadic processes to those that are automated and continuous. Tier 3, for example, provides a baseline for companies looking to get started with SaaS Management, with Tier 1 representing a good example of what a fully mature program would look like.

Even for organizations without an identity security solution in place, SaaS Management provides an excellent starting point since it all begins with discovery. By doing things like outlining an overall SaaS footprint, identifying application owners, and reconciling spend, enterprises can move toward total application visibility, which is the foundation of identity security.

After gaining visibility, a natural next step is assessing SaaS usage data. This includes understanding the functions of each application and then determining who in the org is using each app, how much they’re using them, and how they’re accessing them. IT teams can then use this information to shore up security (identifying risky applications or overprovisioned users) and also address issues of spend (eliminating unused licenses, inactive users, or unnecessary apps).

A deeper dive follows: determining which apps have undergone security reviews, what permissions those apps have, which ones don’t yet have forced single sign-on (SSO) authentication, and what threats might be posed to certification or regulatory compliance. Doing this level of analysis gives enterprises a real ability to strengthen security by addressing gaps in business continuity planning (BCP) and contingencies.

Setting optimization goals is where it all leads, whether that includes getting more apps behind SSO, higher app utilization rates, reduced shadow IT, 100% security approval for high-risk apps, or more stakeholder involvement in SaaS budgets. The ultimate goal, of course, is to provide an identity program that ensures security and compliance – automatically – while also giving your users maximum flexibility as SaaS needs evolve.

The SaaS Management Jump-Start

The best news about SaaS Management is that it’s easy to incorporate. For organizations with an identity security program already in place, there’s only the question of implementation. Fortunately, robust tools are available that can be integrated seamlessly with any system. IT teams will find that adding a SaaS Management module to an existing tech stack is fast and offers immediate returns.

Similarly, for companies launching an initial identity program (or for those early in their identity journey), addressing SaaS Management first makes sense as it sets up a way to take a holistic view. By starting with the task of getting maximum visibility into your SaaS environment, this can then lead to a more strategic approach overall to managing enterprise identities and better controlling access.

With that visibility achieved, organizations will quickly begin seeing substantial benefits — both to their security profile and to their bottom line. Imagine an enterprise with no software redundancies, where every app is fully visible and its usage fully optimized, and where even the potential development of a risk, breach, or toxic combination triggers an automated alert.

This is not the company of the future; it’s what smart businesses all over the world are taking advantage of today, right now. And it’s a reality that’s achievable, sustainable, and easily within reach.

Stay tuned for the final post in this series: “How SaaS Management Powers Employee Efficiency.”

The post 如何將 SaaS 管理納入身分安全計畫 appeared first on SailPoint.

Improving cybersecurity is an urgent need for every organization, especially as attacks increase in frequency and severity. But the struggle comes when determining which steps to take and in what order. Implementing SSO, enforcing MFA, scaling Zero Trust — these are all important parts of the solution, but how do you prioritize? What’s the single biggest step a business should take to prepare for a secure future?

It’s a future that’s been significantly impacted by the pandemic. One where entire organizations might be 100% remote, permanently. And where employees now need to access dozens or even hundreds of different business applications daily, across a wide range of environments and on every conceivable device.

Companies that solve this challenge will be the winners. But how do you do it?

The answer is, you find the connecting thread that runs through everything – all business apps, user accounts, data repositories, cloud platforms, even ERP systems – and you make sure that thread is absolutely unbreakable. That thread is identity and the focus needs to be on its security.

Tap into the Security Superpower

Identity security is the ability to manage and govern access to every digital identity within an organization. It gives companies a way to simultaneously empower their workforce with more (and better) cloud-based tools while protecting the company against constantly escalating cybersecurity threats. It’s the ultimate superpower.

This is because digital identities provide the key that allows complex computing systems to easily determine which parts of an enterprise technology landscape users should be allowed to access. Identity security should be the foundation of a strong security program and the starting point for every strategy and every tool.

Because without a strong identity strategy in place, you’re wasting time and resources on downstream tooling like SSO and MFA before addressing the source. Keeping all identities current, coordinated, and secure – at all times – is what’s essential in order to get complete visibility. And as we’ve seen way too often, not doing this invariably leads to credential theft and ultimately yet another a catastrophic data breach.

As this series has explored, managing identities across SaaS applications is crucial. But there are many more pieces to this puzzle. Pieces like lifecycle management, which concerns an IT team’s ability to efficiently manage worker access as people join, leave, or change roles within a company. Or cloud governance, the degree of visibility and control that organizations have over platforms like AWS, Microsoft Azure, and Google Cloud. There’s also enterprise access risk governance, a critical part of preventing toxic access combinations that can result in serious risks and lead to compliance violations.

And there are many more dimensions to this. Like the importance of getting better visibility into unstructured data (such as company documents that are stored on Dropbox or Google Drive), the need to grant and certify access faster and more securely, even the ability to automate password resets to keep workers productive and free up IT teams. These are equally important elements of an identity program.

However, one thing is clear: Managing any one of these manually – much less all of them at the same time – is an impossible task. It’s simply beyond the capacity of even the most dedicated IT professionals. The secret is to leverage the power of artificial intelligence (AI) and machine learning (ML). Only by automating many of the elements mentioned above can organizations reap the full benefits of a comprehensive identity security solution.

Automation is Awesome

If identity security is the superpower, AI and ML are the force multipliers. They allow companies to manage all aspects of an identity program better, faster, and at scale. For example, AI can leverage peer group analysis, identity attributes, and real-time access activity to provide automated recommendations for access approvals and certifications, giving certifiers more insight to make informed decisions and prevent rubber stamping. Machine learning, meanwhile, can help a company get much better at identifying risky outliers so that potential conflicts of interest can be remediated immediately.

But perhaps the most powerful advantage has to do with Zero Trust, the security model where nothing in a corporate network is trusted by default and every access request has to be fully authenticated before being allowed. It’s a newer model that every organization needs to move to, and one that ratchets up the level of data analysis required to properly balance productivity with security. The only way to implement Zero Trust is with an identity security program powered by AI and ML, and those technologies rely on having accurate visibility into every identity across the org.

Businesses today spend a lot of time thinking about the risks posed by their competitors or by changing marketplace conditions. But as this series has explored, it’s actually the hidden risks that can be the most dangerous: compromised credentials you don’t know about that will lead to a major breach or toxic access combinations setting you up for fraud or compliance violations. Securing every identity needs to be your highest priority, and you can’t secure what you can’t see.

Isn’t it time you finally got total visibility and control over your entire operation? SaaS Management is the perfect place to start. Sign up now for a free two-week test drive of SailPoint SaaS Management and start seeing immediate benefits in efficiency and security. You can’t afford to wait.

The post 如何提昇 SaaS 安全的優先順序並保障身分安全的未來 appeared first on SailPoint.

If there’s one thing that every modern enterprise has in common, it’s that software as a service (SaaS) is absolutely everywhere. As companies embrace digital transformation, the ease of SaaS adoption has enabled them to scale faster, react quicker, and control costs better. And the pace of adoption is only accelerating, with an estimated 90% of businesses expected to rely almost entirely on cloud-based apps in 2022.

The agility that SaaS apps provide has empowered employees to be more productive, especially during the pandemic when nearly every company on earth had to pivot to a remote-first environment. Driven by necessity, employees have been signing up in droves for cloud-based tools in order to get their work done, while IT departments are scrambling to keep up with this flood of new SaaS apps.

More SaaS Means More Risk

With so many new applications in play, the difficult task for IT and security teams is how to support this newfound flexibility while at the same time securing the enterprise and protecting its assets. How does an IT department get visibility into (much less control over) the hundreds of unsanctioned apps – often 3-4 times more than what IT teams are aware of – that their workforce is now using?

How do you tackle this rapidly growing issue of “shadow IT”?

What’s clear is that doing nothing is not an option. SaaS sprawl is only increasing, a runaway train with the potential to get even more out of control without guardrails in place. And failing to act leads directly to an exponential increase in risk: With more employees integrating sensitive data to unsanctioned SaaS apps (as well as giving them unrestricted access), countless third-party organizations likely already have inappropriate access to your corporate systems.

That means you could be facing breaches from vendors you didn’t even know had access to your data — what’s known as supply chain attacks. As regulation increases around data privacy, this could spell disaster for your team. Your organization could be facing a sudden loss or theft of critical data, along with serious privacy issues and substantial compliance fines, all because employees are using ungoverned SaaS applications you’re not aware of.

In addition to security risks, there’s also the issue of wasteful spend. The average mid-sized company spends approximately $4,379 per employee per year on SaaS. But it’s estimated that 30% of those licenses actually go underused or in some cases unused entirely. That’s an alarming example of how overprovisioning may also be leading to hundreds of thousands of dollars – millions for a large global enterprise – in unnecessary expenses. And if this seems crazy, I can assure you this is all too common for even the most sophisticated IT teams.

Get Your SaaS House in Order

So how do you get started? First of all, taking a manual approach is setting yourself up for failure. There’s simply no way that a human using a tool like a spreadsheet could stay on top of things; the SaaS landscape at an enterprise is changing on a daily basis. By the time any sort of survey is completed, it’s already out of date. And even if there were a way to conduct manual audits faster, what about those apps that employees have forgotten about (or won’t disclose)? How would all of those be discovered?

The answer is automation: specifically automated discovery and management. By leveraging an automated tool with these capabilities, organizations can finally get continuous and accurate visibility into their entire SaaS environment — a complete, real-time picture of every single SaaS app in use. This is called “SaaS Management” and it’s something every enterprise needs to get a handle on. Because this visibility provides the foundation companies need in order to have a successful cybersecurity program.

It’s a degree of insight that allows controls to be put in place to govern all SaaS access, manage identities across every app, control software spend more effectively, and ultimately reduce risk. And that risk includes both the danger of having sensitive data stored in unsecured applications as well as employees being overprovisioned with access they don’t need or shouldn’t have.

SaaS Management addresses these issues head-on, allowing enterprises to take a pro-active approach that has a positive ripple effect across the company. Imagine IT, Finance, Procurement, Sales, and Marketing all being in total alignment around what apps are in use, who’s using them, how they’re being used, and how much they cost. That’s a powerful competitive advantage for any company looking to innovate and grow.

The Path to SaaS Security

Before taking action, some strategy is needed since a quick-fix solution won’t pay off in the long term. What companies need to do is think holistically – how does SaaS Management fit into an overall cybersecurity program? – and that means incorporating it as part of a comprehensive identity security strategy. The good news: Not only does a fully automated solution like this already exist, but its success has been proven again and again by leading global brands.

It’s the secret to permanent SaaS security you need to know about.

Stay tuned for the second post in this series: “Why SaaS Management Matters for Your Identity Security.”

The post SaaS 蔓生的危險：無安全防護的應用程式如何威脅安全 appeared first on SailPoint.

Unsurprisingly, we’re at it again, kicking off 2021 with an important acquisition that speeds our ability to innovate, addressing a very important area of looming risk for today’s enterprise: the rapid growth of SaaS applications, the way they connect to company data, and the fact that they often grow up outside of the traditional IT organization. The company is called Intello, and they have developed a SaaS management platform that helps organizations discover and manage all their SaaS apps, uncovering the Shadow IT that is currently outside of IT’s purview.

This acquisition is critical for many reasons. The first reason is that it is estimated that by 2022 nearly 90% of organizations will rely almost entirely on SaaS apps to run their business. How do you protect all of that if you can’t see where it exists or who has access? With Intello embedded into our SailPoint Identity Platform, we will help organizations to discover all these SaaS apps and then manage access to them, just like they already do for their other critical apps and systems. We are here to enable our customers to run, not force them to walk as they pivot to the demands of doing business in the modern world.

But I digress, in a nutshell, here’s why this is important for our customers today and in the future.

It is a growing trend that companies lack visibility into what SaaS apps exist across the business and who or what has access to them. Today’s workforce is much more SaaS-centric than it was even a year ago, and by all accounts, this will continue to trend upward. While the digital transformation has been years in the making for many organizations, COVID-19 and the global pivot to virtual working has sped up the transformation at lightning speed. I recently spoke with a CISO who told me that they rapidly deployed over a dozen apps when their offices shut down, and they were now feeling the effects of “SaaS bloat.”

This shift to remote has compelled many workers, in their quest to work smarter and faster, to download and use unsanctioned SaaS apps at a record pace with no oversight by IT (this is the Shadow IT or the Shadow Access I mentioned earlier).

Now that you have the lay of the land, all this has contributed to an ungoverned and unprotected SaaS universe and represents a new area of exposure: the growing lack of visibility into who has access to what SaaS apps (and the data within). In this new era in IT, the only way to fully protect today’s cloud enterprise is by first discovering all of these hidden SaaS applications and then applying the very same governance controls that are already in place for the rest of their critical business applications.

We accomplish this with Intello.

Through this acquisition, SailPoint will help organizations shine an identity security light on their ungoverned SaaS apps and then extend the right security, governance, and cost controls to those apps. I’ve been so impressed—and a little scared—to see the gaps that Intello has unearthed for its customers: unauthorized email plugins that have the ability to read and send company email, unfamiliar plugins for messaging platforms that can read messages, or unused access that presents a security risk—as well as costing the company tens of thousands of dollars a month!

Like in the last decade, this latest move shows SailPoint’s commitment to securely enabling the digital enterprise and the demands they face in order to scale. As we step into 2021, we will continue to strengthen our cloud governance offering to help them accomplish just that, which sets us apart as the leader in the industry. Another two steps ahead in our marathon to helping organizations stay secure now and, in the future, whatever comes their way. We’re here for our customers every step of the way.

The post 超前兩大步：SailPoint 收購 Intello 的重大時刻 appeared first on SailPoint.

On average, there are 3 to 4 times more SaaS apps in use at a company than the IT department is aware of, and it’s estimated that by 2022, 90% of enterprises will rely on SaaS apps to execute business objectives. It’s the lack of visibility into SaaS apps that’s the issue, coupled with who has access to both the apps and the sensitive data within, that really highlight the gaping holes in a company’s security posture.

Oftentimes, organizations are not extending their identity security policies to include both the access their workforce has to SaaS apps and the data stored in those apps. While SaaS applications house large volumes of structured and unstructured data, it is the unstructured data that gives companies the biggest headache. That’s why unstructured data is a leading contributor to the rise in security compromises, eventually leading to a train wreck of massive proportions.

To better understand the state of unstructured data and surrounding security practices, we recently conducted a survey with Dimensional Research. We found more than 9 out of 10 companies are in the process of moving their unstructured data to the cloud. Furthermore, approximately 76% of companies have encountered challenges with protecting unstructured data, including unauthorized access, data loss, compliance fines, and more.

Nearly every company surveyed reported managing access to unstructured data was difficult, citing numerous challenges such as a lack of a single access solution for multiple repositories, too much data, and lack of visibility (into access, where data lives, who owns it, etc.). Additionally, more than 4 out of 10 companies admitted they don’t know where all of their unstructured data is stored.

Given these numbers, it is unsurprising that a Canalys report found companies are spending record sums on cybersecurity to protect the rapid digital transformation we’ve experienced over the last year. Yet, the number of successful attacks continues to be higher than ever. Specifically, Canalys reported that “more records were compromised in just 12 months than in the previous 15 years combined.”

It is easy to connect the dots between these findings and the rise in cloud adoption, the unstructured data that resides in the apps and systems in the cloud, and IT’s attempts at securing this monster network of information. Our survey also found more than a quarter of companies fail to perform regular reviews of user access privileges. What’s more, one-third of companies lack real-time alerting when unauthorized access occurs with unstructured data.

The encouraging part is that by extending identity security at the implementation stage to manage data access, many processes can also be automated to expedite access certifications and feed information to your identity solution. When IT has all the information of an organization’s users and their access – to both applications and data – they have the power to quickly make the right decisions in the event of a data breach.

As a former CISO, I know how hard it is to keep a watchful eye over a companies’ entire digital ecosystem, especially given the rapid acceleration of cloud adoption and pivot towards SaaS structures. This security pain point is something SailPoint understands well and why we recently took steps to ensure we can continue to help our customers mitigate risk – now and in the future with our acquisition of Intello.

Good leaders know that their people come first, but the data that drives their business is a close second. Many IT leaders I talk to struggle with securing unstructured data – or worse, are not considering it as part of their overall approach to identity security, which is a huge miss. I think some of this concern might fall to the wayside if we smartly align our security practices to the trends predicted and stop these racing trains before they collide.

Go here to download the report.

The post 兩輛奔馳的火車：SaaS 競賽及保護非結構化資料 appeared first on SailPoint.

為了真正確保「企業數位身分」（即企業的 PII）的安全，公司必須重新思考如何保護數位勞動力。否則，每位員工都可能迅速成為駭客之目標，對企業安全造成威脅。 

讓我們透過一個十分著名的實際案例來說明這一點。

在 2020 年 3 月疫情開始時，眾人開始封城生活，幾乎所有組織都匆忙地轉換成虛擬工作環境。組織背負龐大壓力，亟需讓員工發揮在家工作的生產力，因而忽略了能保護其營運資產的必要安全控制措施。在許多案例中，那些沒有在存取權限以及保護數位身分之間建立連結的企業，就會使得風險之門大開。

無論是否轉換成虛擬工作環境，企業都必須思考如何正確保障存取安全，才能安全地運用技術。誰應獲得存取權限？對方實際上是否有正當理由利用存取權限完成工作？  員工需要持有存取權限多長時間？  存取權限是否能在短時間後停用，還是存取權限必須長期保持開放？在具有其他系統的存取權限時，是否也能獲得此存取權限？若企業沒有針對存取權限增加一層保護和風險減輕機制，便敞開大門，那麼，任何企業都無法肯定地回答這些問題。

請以下列方式思考：在家時，您會在沒有妥善保全系統的情況下舉辦派對嗎？您會在沒有鎖上臥室門以避免他人翻動私人物品、櫥櫃中沒有保險箱保障財務安全，以及後門沒有警報器提醒您有人打開門並試圖偷偷溜走的情況下，就允許他人進入您家中嗎？允許朋友和熟人進入您家中是一回事，但即使是朋友，也不需要清楚地瞭解您的個人資料。我們備妥安全措施，以保護自身隱私。

就像家庭保全系統避免陌生人進入一樣，身分識別安全性機制（即身分治理）就是企業的「保全系統」。透過存取管理授予存取權限，僅是前門保全或「門衛」，以實體方式避免未受邀請的人進入，但在允許對方進入房屋或組織後，存取管理便無法控制他人對您物品的行為。要讓他人進入大廳很簡單。不看守。不管理。不防護。

關鍵是著重於同時確保可用性和安全性，提供對重要技術和工具的存取權限，但也要適當控制該存取權限。現今，了解員工中有哪些人需要特定存取權限十分重要，然後應在其角色改變後修改存取權限，或在對方不需要該權限時，應限制或甚至取消存取權限。必須新增這些控制措施，才敞開技術使用大門，否則就像是在大門放上邀請墊，歡迎駭客進入您的企業。

好消息是越來越多企業已意識到此現實情況，並將身分識別安全性放在企業優先事項清單的首位。回到疫情話題，事實上，轉向遠距工作確實突顯出當今企業採取身分識別安全性機制的重要性。在這個快速變化關鍵點上展現優勢的公司，都是將身分識別安全性立於企業根基的公司。

身分識別安全性已成為風險管理的重要元素，也是全球企業現在和未來邁向充分保護「企業數位身分」的最可靠方法。

The post 透過身分識別安全性機制，保護現今企業數位身分 appeared first on SailPoint.

跟其他所有組織一樣，能源公用事業企業也同樣面臨各式各樣的業務和技術挑戰，但它們還必須確保其關鍵基礎設施的安全和正常運作。 或許正因為必須做到「服務不中斷」，許多公用事業企業非常精於拿捏安全性和供應服務間的平衡。

在安全維護工作方面，其中一個重要基礎便是確保授予員工和承包商適當層級的應用程式及系統存取權限。這些應用程式和系統不只得負責執行公用事業企業的業務，還必須維護推動作業流程及關鍵基礎設施運作的高度受規管環境。「管控我們作業流程環境的存取權限是一大挑戰。它必須同時符合組織能力、產業最佳實務和法規要求這三個要素，」整合式電力公用事業企業 OGE Energy Corp 的企業安全經理 Ian Anderson 說到。

OGE Energy Corp. 是一間整合式電力公用事業企業，總部位於奧克拉荷馬市，並且已經上市。其服務對象為奧克拉荷馬全州及阿肯色州部分地區的客戶，奧克拉荷馬市都會區內的 150 萬居民也包含在內。OGE Energy 必須設法遵循嚴格的州和聯邦規章。例如，Anderson 表示：「業務方面非常強調須落實《沙賓法案》(Sarbanes-Oxley)，而在營運基礎設施方面，我們必須遵守北美電力可靠性委員會 (NERC-CIP) 訂定的規章。」

如果想要達到並維持 OGE Energy 需要的安全層級並符合《沙賓法案》和 NERC-CIP 的法規遵循要求，關鍵在於有效的身分管理。

挑戰：擴增規模化和自動化身分管理

隨著公司規模的擴大及徵才市場的發展，OGE Energy 面對的規章複雜度也越來越高，身分識別團隊發現有必要強化自身的身分管理和治理流程。Anderson 解釋，員工人數不斷增長，對短期約聘勞工的需求也越來越大，這造成人工身分管理流程的壓力大增。

「以往我們的用戶群是非常穩定的，」他這麼解釋。「但是以現在的市場而言，人員簡單自由地來去已成常態。 這是很好的現象，因為我們的事業單位可以藉機利用短期性的技能需求，但身分管理團隊卻需要重新建構自己的產品服務，以規模化和自動化。」他說到。

碰巧的是，員工的流動性提高，再加上使用雲端運算，也讓團隊的身分識別工作更形複雜。Anderson 表示：「用戶無處不在也是我們所面臨的挑戰。」他補充道：「他們會在辦公室、家裡或是在途中上班。我們也必須隨時跟他們同在。我們的目標是要做到業務在哪裡，我們的服務就到哪裡，以安全且保密的方式協助推動實現組織目標。」

除此之外，由於人工佈建與相關身分管理流程大多是在專門的應用程式中執行，身分識別團隊不得不精通多種存取管理活動。 他解釋：「人員分工過細增加了團隊的壓力，而且這也造成原本單純的工作 (像是有人休假時為其代班) 變得十分困難。」 Anderson 表示，由於流程本身無法擴充與規模化，因此必須倚靠身分識別團隊大幅提高人力。

Anderson 及團隊想尋找一種身分識別平台，它要能夠 自動化身分識別流程，在使用者要求或接收應用程式存取權限時全面降低他們的使用難度，消除孤立的身分管理作業，讓企業有能力確切瞭解並掌控誰有存取權及其存取內容。

Anderson 說到：「身分是全新的防線前沿，隨著公司不斷發展並逐漸轉向混和雲端與本地端環境，我們必須提供使用者適當層級的安全保障。」 有了自動化帶來的附加效益，加上提供有助於提高團隊效率的身分識別平台，使得團隊得以減輕工作負擔，專注於執行更多策略性計畫，而非作業支援。

將身分治理移到雲端

身分識別讓 OGE Energy Corp. 能夠自動化作業流程，強化使用者體驗並消除孤立的身分識別作業。 同樣重要的是，SailPoint 的 IdentityNow 可以統整雲端、行動裝置和在本地端的身分管理流程，即便在混合式 IT 環境中也能實現身分治理。

此外，團隊第一個推動的身分治理計畫，就是自動化並簡化其人工存取驗證流程。 「我們立刻進行驗證部署。 這麼做馬上為我們省下了過去耗費在驗證上的所有時間。我們可以把這些時間拿來改進我們的身分識別計畫，」他說到。

Anderson 表示，身分識別策略有助於 OGE 身分識別團隊有效簡化公司的身分管理和治理工作。 在使用 IdentityNow 之前，身分識別團隊成員必須花上數天的時間，為承包商佈建一個新帳戶。 這個流程被縮減為不到 15 分鐘。 身分識別團隊計畫要持續增加新的整合，將佈建帳戶的時間縮得更短。

展望未來，Anderson 和身分識別團隊將不斷精益求精，持續改進他們的身分管理流程，例如強化密碼管理，直到最後發展為角色型的存取控制機制。正如 Anderson 所言：「縱使已經進步良多，但我們還是要持續精進。」

The post OGE Energy 將身分識別引入雲端 appeared first on SailPoint.

1. 資料整合與關聯：身分治理的第一步是集中掌管公司的身分資料。此流程會從高風險的系統和應用程式中擷取資料，建立使用者及存取資訊的單一存放庫，消除不同資料來源間的不一致處並建立全企業的檢視。
2. 自動化存取驗證：公司必須能透過解決方案對所有關鍵資源的使用者存取權限進行自動且常態性地審查和驗證，確保使用者具備履行工作職責所需的適當存取權限，降低整體風險和違規的可能性。
3. 強制執行原則： 為了確保成效，身分治理解決方案必須識別並集中管理存取原則，以利在所有關鍵資源中強制執行權責區分之類的商業原則。
4. 角色生命週期管理： 解決方案必須能協助自動建立讓使用者業務和職能與使用者存取管控相符的角色，並管理各個角色從建立、修改、核准，以及必要時到退休為止的生命週期。
5. 存取要求管理： 最創新的身分治理解決方案要能夠方便管理者和一般使用者在預先定義的身分原則及角色模型的限制範圍內，提出新的存取要求或變更既有的存取權限，且要能夠自動核准和審查該等要求流程。
6. 風險評分和評估： 評估解決方案如何 (或甚至能否) 量化整體 IT 環境的使用者與資源風險，並據此排定安全和合規性工作的優先順序。
7. 報告和分析： 為了讓業務經理能順利整合到治理流程中，基本的身分治理解決方案會使用儀表板、報告和即席查詢功能來強化監督，提供有效管控的證據。

為了協助公司解決複雜的問題並為其解惑，掌握打造成功的身分治理策略的關鍵，SailPoint 特別撰寫了選取正確的身分治理解決方案一文，無論是想要瞭解業務需求，抑或是排定部署步驟的優先順序和評估解決方案，您都可以從中找到解答。我們撰寫購買者指南及文章的用意在於協助因應您的特殊商業需求，並判定身分治理如何 (或能否) 提供協助。

The post 身分治理入門指南 appeared first on SailPoint.