What Identity Analytics really is and why you need it

What Identity Analytics really is and why you need it

IT security’s advent: the “identity” concept as key factor

Digital transformation has changed and is changing more and more business processes, job positions as well as many companies’ core activities. In consequence, it has implied a change in the way we mitigate risks.

Risk mitigation has existed long before digital transformation but it mainly relied before on manual processes, spreading risk management across departments – thus relying on silos – and on analyses over samplings. But this risk management is no longer possible with today’s world digital transformation, which often goes too fast for companies to properly adapt to new risks, especially IT risks. They most often have no visibility on what is key: their users’ access rights to their information system, user behaviors as well as existing security breaches. 

Financial costs of IT security risks, whether it be data thefts or internal frauds, are continuously rising. According to a 2016 Ponemon Institute study, data leakage costs have risen 30% between 2013 and 2016 in the 12 countries of this survey. Companies are paying at a high cost the rise of cyber risks but what about their investments to prevent these threats and mitigate these risks? 

Organizations need to ensure efficient and continuous risk mitigation and detection. They need to know the risks threatening them, including the humpan error risk which is constantly underestimated even though it was the source of 1 out of 4 data breaches in 2016 (2016 Ponemon study).

Companies are becoming more conscious of cyber risks and the need to reduce them through the IT vector but many doubt their capacity to really identify who accessed their sensitive data and applications. Indeed, the main stakes are here: knowing who has access to wgat and who accessed what in your information system. This is about cyber resilience: ensuring both cyber security along with productivity and innovation for companies.

Becoming cyber resilient means focusing on identites, that is individuals. It is both through individuals that secured digital transformation projects can unfold and that the cyber attacks happen. Risk analysis, detection and mitigation need to be built around this identity concept and that is what Identity Analytics is all about.


The rise of Identity Analytics

Digital opportunities should not make you forget that significant risks are generally atatched to them. Let’s take the classic icerberg methaphor. The emerged part of it represents known and visible digital and cyber risks today: ransomwares, virus, etc. But these risks aren’t the most important or threatening. The risks underwater, invisible for most of us, are the most threatening and frequent ones for organizations. You need to target these first and foremost.

With Identity Analytics you are able to answer the question “what resources can these users access, how and how are they using these access rights?” and this is what matters to ensure a secured business environment. It is about conducting in-depth analytics within a contextualized environment, with HR and technical data reconciled. Audit and internal control tasks as well as proper analyses, access reviews and clear reporting processes are at last possible in one unique platform centered on the identity concept.


Regarding digital transformation and cyber security, the notion of identity crystallizes opportunites, threats and solutions all in one. It is the key concept companies need to understand fully and implement. 

With Identity Analytics, companies can more easily mobilize their resources and think in a transversal way, beyond silos, to achieve both business development and efficient risk management. All actors, internal actors and third parties, need to engage in this process. This collaboration and communication between actors is all the more important as cyber incidents are hard to detect and it takes several months, almost a year, as an average for companies to detect a breach or suspicious activities. Organizations need to pay attention to unusual user behaviors for example but most of them do not have the maturity and the resources to do so.

Identity Analytics has developped over the last 10 years and is continuing its rise as companies realize worldwide that traditional cyber security methods and tools are no longer adapted and can even become harmful by exposing them to risks they cannot detect and prevent.

Identity Analytics is still misunderstood or rather unknown but this is changing. Meanwhile, significant cyber security actors have tried to hijack the Identity Analytics term and use it for other meanings and cyber security specific features such as SIEM for example. Identity Analytics isn’t about real time detection but about enabling you to better analyze risks, prevent threats and ensure compliance by focusing on your key asset and threat: indentities.


With Brainwave GRC, its Identity Analytics solution includes advanced in-depth analytics, machine-learning and workflows to reduce access-related risks and ensure continuous compliance for all organizations. 


Is IAM outdated? Why you need to study alternatives

Is IAM outdated? Why you need to study alternatives

15 years of IAM: the end of an era?

IAM projects have blossomed since the early 2000’s and most large companies implemented one. Unfortunately, for most organizations, a significative gap appeared between what they hoped  to get from their IAM projects, the expected benefits, and what they got, or should we say what they didn’t get in most cases. Many aspects of these projects initally planned weren’t implemented or requested specific developments that haver prevented any evolution or upgrading since because of these in-house specifications.

Companies initially launched IAM projects to provide an efficient answer to their risk and compliance challenges through automation. But unfortunately, this resulted in focusing on operational efficiency and leaving out risk mitigation on the long run.

Today, IAM domination is coming to an end with business and security needs evolving at a high pace, much faster than the rate at which massive IT projects, such as IAM projects, can evolve. Desillusion, constraining IT architectures inherited from these projects, lack of defined goals and perimeters from the start, all of these are some of the main reasons why IAM systems alone aren’t enough anymore.

Organizations need something else – something more – today to, not only ensure proper access management, but also implement access governance, continuous compliance and reduce security risks which continue to increase every year.

Getting rid of silos and connecting access management to the rest of the information system is essential. Making things simple and ensuring that technical and business internal actors are working together as much as possible are some of the key recommandations to start fresh. Working with silos is no longer possible. Services and departments within a company are more and more connected. Organizations now belong to a full network and need to communicate across the board. Silos are no longer accepted while IAM projects have most often been built that way, based on silos.

That is why it so hard to make them evolve, and in many cases impossible, because they cannot be connected and have often included in house specifications that prevent their upgrading. In many cases, making your IAM solution evolve amounts to as much work as implementing a new one.

Thus, when discussing IAM strategies and projects, it appears as if nothing has changed over the last ten to fifteen years. With the surrounding environment evolving – new risks, new ways of consuming IT – there is a need to reassess the way companies leverage their IAM programs, in terms of services, technology and organization.

Understanding why IAM projects often fail

If we consider a traditional Identity and Access management approach, a strong focus is set on connectors, meaning access fulfillment and automation. Other IAM services that should be included and implemented are too often considered as a secondary concern and never really implemented.

Companies’ experiences with IAM projects have many similarities for most of them: very long projects, weak visibility regarding the software’s adequacy with business users’ needs, budget and deadlines beyond pushed way beyond limits set at the start. The delivery value is most often not what was expected. For most organizations, the project’s scope has shrunk and very little automation has been implemented.

Other very important aspect: access-related risks aren’t taken care of by IAM solutions but they represent significative security risks for any company, regarding external and internal threats. Indeed, with the rise of access-related security risks, both through external and internal threats, companies now do not have the choice and need to mitigate these risks with an efficient access governance.

Knowing your information system as a whole – its users, their job positions and access righs, their usages and behaviors – is now necessary and IAM solutions cannot take this in charge.


What you need to succeed

Changing IAM solution, trying to make yours evolve according to your business needs or studying alternatives, all of these options require you apply best practices to make sure you chose the proper one.

What you need to pay attention to : ensure proper user experience, make sure that the solution is able to evolve according to your business needs, ensure data quality and controls automation as key components, and maybe try and see why you do not need IAM provisoning that much to ensure proper access management.

In addition, here are 3 key factors for success :

  • a unique platform to process end users’ requests
  • technical tools relying on standards
  • transversal solutions for audit, reporting and control


These 3 key factors will enable you to brake silos and take in charge all necessary processes you need to ensure: information browsing, request input, validation workflows, provisioning and technical actions as well as reporting, audit and control.

This will enable you to operate transversal processes and brake 4 key silos: IT & logistics, IAM for application access, non structured data and, last, ERPs.

You may ask, is this really possible? Do cross system and cross application solutions already exist? Indeed, some organizations are currently studying and implementing alternatives to the traditional IAM approach and it is promising.


Studying alternatives: a new paradigm with Identity Analytics

There is adequate and proven technology on the market to support this approach and organizations can chose among several options, according to their business needs and environment.

Some companies are examining alternatives to the traditional IAM model such as replacing IAM by a meta repository. Nevertheless, what we should be paying attention to are the other components of these options. ITSM tools and Brainwave Identity GRC, as an Identity Analytics solution, are included in many alternatives, so of them which do not even include an IAM solution.

Usually, an IAM solution does not cover what is initially needed and access governance as well as access related risk mitigation are left out. With these alternatives, some companies are starting to see how to meet their evolving needs outside traditional IAM and costly projects.

Nevertheless, the point isn’t to conclude that IAM projects are all failures – which is far from being true – and that Identity Analytics coupled with ITSM is THE alternative. IAM and Identity Analytics are complementary and companies need to make them work together to attain both of their prime goals: operational efficiency and risk mitigation, on a continuous basis.

5 reasons why access-related security is key to hybrid ERP transformation

5 reasons why access-related security is key to hybrid ERP transformation

Hybrid ERP: the postmodern transformation for ERPs

Postmodern ERPs are the new form of ERP systems, no longer coming only from single-instance megasuites such as SAP or Oracle. ERPs are now hybrid – mega-suite on-premise but also partly in the cloud – or even fully outsourced.

Analysts have been paying attention for several years now to this rising phenomenon but this is it. Hybrid ERPs are not a hype but becoming the norm, year after year. Indeed, according to a Gartner study, within 3 years less than 1 out of 5 multinational companies will still be having a single-instance megasuite ERP system.

ERP transformation projects are launched for various business needs, from adopting a new marketing or HR cloud-based management solution, a new Saas CRM such as Salesforce or conducting a major ERP renovation after years with costly megasuites.


Paying attention to security risks to ensure success and business goals

The enthusiasm coming with such projects and the business stakes shouldn’t make you forget the security risks will probably rise with your company’s transformation projects. With ERPs going to the cloud and, in most cases, spread between on-premise applications and cloud-based ones, new risks appear and more actors are involved.

Here are 5 reasons why you need to put access-related security at the top of your priorities for your hybrid ERP:

  1. Greater lack of visibility over applications and business processes
  2. Higher risk of frauds and human errors with more actors involved, including numerous third parties
  3. Greater risk of data quality and management issues with mutliple data sources and formats
  4. Less control over HR movements, access rights management and the activity of users regarding these access rights
  5. Harder to ensure audits and controls over access rights and user activity at a satisfying frequency (larger and more diversified perimeter)


The solution? A proper access-rights security policy, collaboration and Identity Analytics & Intelligence

With hybrid ERPs now becoming the dominant ERP model, the security stakes are high and need to be taken in charge properly. Defining a relevant and realistic security policy is only one of the steps that will ensure success for your transformation projects. The other steps? Enabling and encouraging collaboration between IT and business units in order to reduce the risks related to data collection, transmission and processing but also to conduct efficient and easy access certifications as well as regular controls.

What are often under-estimated risks ? Access-related risks in Active Directory, SoD or even your CRM. With the proper tool you need to ensure a 360° visibility over access rights and how people use them in your company, including contractors and interns. The risks can go from a high number of dormant accounts and ex-employees with access-rights still active in some applications to SoD risks with users able to operate incompatible actions over the Purchase-to-Pay business process.

The need for a cross-applications and business process view for risk analysis and remediation but also controls and access reviews is stronger than ever with a hybrid ERP. Are you ready?


Controls automation: auditors and internal control’s key to success?

Controls automation: auditors and internal control’s key to success?

Why and how should a company automate controls?

The reasons to automate controls processes will logically depend on the company’s context and security challenges. Fighting against fraud is one of the main reasons for organizations to implement controls automation today. But it isn’t the only one. Here are a few of them:

  • Focusing on fraud risks

The goal here is to reduce fraud risks, often over large data volumes. The stakes are to gain full visibility over fraud risks, segregation of duties policy implementation but also to ensure that controls are properly operated and cover all the critical applications and business processes for which fraud risks are very high.

  • Targeting sensitive business processes

For some companies, the prime focus needs to be set on preventing risks at a business process level for their most sensitive ones, such as the Purchase-to-Pay business process. Security risks, such as fraud risks, are often significant at the business process level – within and between applications and systems – but companies often focus only on risks linked to IT infrastructures and fraud risks within applications only.

  • Improving data analysis

The goal here is to implement efficiently and broadly a proper data governance through automated controls. Controls over applications are a priority in this context and need to comply to security requirements such as proper privileged accounts management and efficient access rights governance.

What are the benefits?

Controls automation can provide many benefits, here are the main ones:

  • Optimizing controls processes, strongly needed by companies as they face rising regulatory requirements and pressure from control and compliance authorities.
  • Reducing security risks within applications and at a business process level
  • Reinforcing internal audit and control’s position within the company

Automating controls enables internal audit and control teams to save significant time, money and energy not using Excel spreadsheets with over fifty tabs to operate manually their controls. With controls automation, they can focus  on the most critical security and compliance stakes and risks that trully need their time and attention.


Are they limits to controls automation and how can you move past them?

Automating controls at the scale of an application, system or a wholke business process requires paying special attention to a number of topics in order for a company to prevent limitations and evaluate if its is ready to implement the automation of all or part of its controls processes.

Here are a few of the topics you should pay attention to:

  • Your applications’ maturity

Automating controls properly depends on your applications having the same “maturity” level.

  • Risks moving upstream or downstream

By automating controls, there is a risk that security issues be displaced. An example of risks moving “downstream” is an inefficient analysis and correction of discrepancies.

  • Automated controls staying relevant and answering internal audit’s needs over time
  • Segregation of duties

One of the keys to controls automation is implementing a proper segregation of duties at a business process level, within and between applications and processes in the IT systems.


Any questions? Don’t hesitate and contact us!




Identity Analytics is crucial to your DX (digital transformation) success

With ”the risk-aware user access review for access certification” identity analytics reduces the cost and burden of the user access review and bring ”trust” in your digital transformation strategy

Do you know how to balance Digital Transformation and IT Security when your organisation is facing the challenge of managing and securing the access of thousands of users to hundreds of legacy and new Digital or cloud applications?

Operations’ autonomy and cloudification: what about risk management?

Operations’ autonomy and cloudification: what about risk management?

Decentralization and cloudification


Why do IBM mainframes always make us think about prehistory and dinosaurs? Or is it only about different sociological or “ideological” perspectives?


Today’s employee: services consumer and focused on business goals

Today is about hopping between TV channels, online services, and political parties. Consumers are now the decision makers and they wish to have as many choices as possible offered to them. Competition has become very hard and aggressive, consumers are now able to buy in a single day from a small local grocery store and order a product from a Chinese website. Today’s world has become (breaking news…) a giant supermarket.

Within companies, employees claim more autonomy. Business is THE priority. In fact, both employee and consumer are just one – same – individual: they are services consumers, autonomous and innovative, focused on reaching their business goals.

But what is the point with dinosaurs and IBM mainframes? Of course, in this story mainframe is only a symbol of centralized, authoritarian, slow and lost in paper work IT system and organization.

The divorce between “legacy IT” and Operations

Chances are that “Legacy IT” are not operations and business-oriented employees’ best partner nowadays.

Indeed, asking the IT department to modify software to adapt to a new sales offer or for the implementation of a new Marketing application often implies long and painful processes. To launch such projects, all the steps need to be explicitly planned for IT, from initial requirements to operational acceptance testing. On operations’ side, such projects drain money and time, often wasted when you realize the initial need has evolved!

IT departments are becoming more and more isolated. Decentralization in favor of business units is happening…

Not all speed and agility leads to efficiency. Consumerization can lead to waste as departments choose competing applications for the same task that can’t talk to each other. Operations often sign contracts for services they forget to terminate.

From centralized IT to excessive decentralization

In this new fast, agile, decentralized environment security can be catastrophic, precisely because of how many things are decentralized. Autonomy often rhymes with chaos. The last defense against data leakage is operations’ close attention to confidentiality and security requirements regarding the information they handle. Something that can get lost with a relentless focus on speed of execution.


A centralized risk management is necessary, along operations’ autonomy

Business units cannot do without security and IT risk management. But they can’t take different approaches to regulatory compliance or reporting. Firms need a way to provide central control alongside a flexible environment and decentralized decisions.

Risk management needs to map resources and services that touch the company’s vital processes. To fully understand the impact of leaks, one needs to know what and where data is. You need a 360° degree view of your resources, access rights, and users’ behavior. Dinosaurs can still be useful… but eagles rather than brontosauruses

You need a tool capable of collecting all the information and to include it in continuous control and monitoring.