Look to identity management to transform a business, recommends CA Technologies

Personalisation defines digital transformation, but the relationship is symbiotic

Digital transformation comes in many forms, and means something different to everyone involved: whether they are an employer, an employee or a consumer. Despite these differences, there is one overarching factor that applies to all forms of transformation, and that is the identity.

Grant Clements, principal consultant for cyber security at CA Technologies - speaking at Computing's Enterprise Security and Risk Management Summit - argued that transformation is defined by personalisation, which makes a user's life "better and easier." This is accomplished by giving a business the information that they need to provide the best experience, which leads to a happy, loyal customer.

Digital transformation is really about the identity

Connected devices and big data are giving companies a better view of their customers than ever before. This is a symbiotic relationship; without that information, companies can't personalise their service; and without that service, consumers are less willing to give up their data. Clements brought up the disconnect between the outcry that is heard every time news breaks about a government intelligence agency holding peoples' data and peoples' willingness to upload their entire lives to Facebook.

Employees have a different outlook, although personalisation is still key. Rather than wanting a completely tailored experience, workers want their job to fit around their lives: working from anywhere using their own devices, with a single log-in for all business apps. Employers are naturally aware of this and the ‘happiness equals loyalty' equation applies here, too.

To cater for workers, employers are moving to the cloud for flexibility and removing their traditional security boundaries. What could possibly go wrong?

Quite a lot, as it happens. It is difficult or impossible to control personal devices: they cannot be locked down like a traditional company laptop. Without a security perimeter, there is no protection for the massive amounts of personal data that companies now collect as a matter of course.

If success is driven by identity, so is risk

Personal information, and by extension accounts and identities, is clearly important for companies to succeed today; but hackers want the information for the same reason. Equifax and Uber are just two of the high-profile attacks that we have seen this year where attackers have stolen vast amounts of personal information.

Security departments must be involved to protect that data and enable an optimal experience, but how can they when there's nothing tangible to protect? The answer, again, is in the identity.

Clements described three areas for security departments to work on. The first was identity and access, which he described as ‘moving responsibility to the business'. It is up to a company to make security simple, which encourages adoption by employees and consumers. The next step is to bring multiple identities together to provide a single view into work systems, and establish the right access for these combined accounts.

That feeds into privileged account management, which Clements (and the audience) felt was the biggest risk to security. It is a depressing fact of cyber security that the higher up the business you go, the less technical knowledge exists; privileged users are often the most dangerous. System, app and cloud service management is important to gain continual insight into what these users are doing.

Finally comes adaptive authentication, which aims to understand the identity context (who, where, when, why) of a user's actions. Clements recommended keeping security in the background for low-risk actions, but increasing security when needed (if a user is logging in from a new location or device; or accessing sensitive data).

Ideally, done correctly, all of these will help to protect a company's most valuable asset: data.