Enterprise Identity and Access Governance

Much of enterprise cybersecurity governance has been closely tagged to an incidence of undesired access, and hence has been typically associated with an ‘incident’. The process of governance has also been manual with regards to collection and presentation of data for various internal and external enterprise activities, leading to high window of risk during an extended period of non-compliant access. Moreover, the manual way of achieving governance is time consuming, error prone and highly disruptive.

Automated and periodic governance through bespoke solutions:

Automated and periodic governance through bespoke solutions have been marginally better in providing compliance and governance needs of enterprise in that the automation helps create certification platforms, which are run periodically to ensure timely data gathering and hence compliance, a broad business activity that has been classified under Identity and Access Governance (IAG). The IAG solutions of this kind address customer requirements that are beyond identity administration. IAG tools seek to deliver Identity and Access Management (IAM) directly to the business or end user, rather than the operational IT administrator. It also provides for the first time relevant features for IAM to be part of an IT governance program at an enterprise. Many of these governance-centric features focus on the collection and delivery of the right kind of intelligence to the business and IT user to have better governance over the life cycle of identities used in access. However, in spite of its ability to detect certain user event for compliance activity, automated and periodic IAG solutions fail to check multiple crests of non-compliant or undesired access during the period when they are less active or during the time zones in which they are not run.

Enterprise Software Ventures to provide streamlined solutions:

There is an opportunity for enterprise software ventures to solve above mentioned problems and provide streamlined solutions (in a more grounds-up and intelligent way) to solve how users in an organization access Information Assets (Systems, Application, and Data). The proposed solution should be able to support organisations in better governance of its information assets, help organizations measure or quantify whether information assets are free from risk, and ascertain whether access to information assets violates needs and / or permissions of a job function. The product should be capable to provide insights into user behavior after access is granted and into usage of critical resources and restricted organizational data.

Because attrition in IT companies is as high as 15 %, it is critical to ensure that ex-employees’ access to internal information assets is efficiently terminated on time. By combining the intelligence on who can access what, when, and for how long with what access changes are occurring on a data asset that is tagged critical, a new venture can provide a complete, 360-degree view on access and the risks posed on enterprise data.

PS: We flagged the growing importance of IAM in 2014, a year before Series A and Series E investments in cybersecurity and IAM startups jumped from 18% to 28% and 14% to 23% respectively (ref. CB Insights data).

“Investors seem to be showing less interest in single-point solutions, and instead favoring more comprehensive cybersecurity platforms that reduces businesses’ need to manage many disparate cybersecurity vendors. However, there are some exceptions to the trend. In the IAM category, much like the trend in cybersecurity as a whole, early-stage (seed/angel and Series A) investments are in decline. Investors are betting less on young cybersecurity companies and shifting their focus to later-stage investment opportunities.” – CB Insights, 28th October 2016