By Kari Hanson
The utilities industry is facing an all-too-common issue: how to effectively combat the threat of devastating cyberattacks that are constantly growing in power and frequency while empowering employees. With more hackers targeting utilities and industry compliance regulations becoming more serious, US power companies are feeling the pressure to secure their operations before it’s too late. The potential for destruction from breaches is high, because in addition to containing sensitive information, intercepted access to a country’s power grids could cause unprecedented disruption to our daily lives.
As a result, the industry’s compliance standards are some of the most rigorous and require hours of manual processes. Complicating matters, these same power companies are struggling with financial constraints and are often operating with outdated infrastructure that can limit the use of new technologies.
So, how can power companies confidently and efficiently protect themselves from cyberattacks? Because most of today’s breaches focus on targeting users—or identities—the first step should be to implement a comprehensive identity strategy that provides visibility into and control over who is accessing their applications and data, what can be done with that access, and whether it should be allowed. The Sacramento Municipal Utility District (SMUD) is an example of a power company that addressed the growing security and compliance threat with an identity program, leveraging SailPoint’s identity governance solution.
SMUD is a community-owned power company that services more than 600,000 customers. In fact, it is the sixth-largest community-owned power company in the US. Influenced by the surrounding Northern California area, a place known for its innovative outlook on energy, SMUD has been recognized as an industry leader and award winner in creating energy efficiency programs, renewable power technologies and sustainable solutions. It was the first utility in California to receive more than 20 percent of its energy from renewable resources.
However, while innovation in energy technology boomed at SMUD, identity governance fell behind. User access and onboarding were managed manually, which was time consuming and left room for error. Additionally, the growing amount of unstructured data in SMUD’s complex hybrid IT environment, along with the lack of visibility into where it was located and how it was being accessed, made compliance difficult to impossible.
Implementing Identity Governance
SMUD kicked off its new identity governance program by setting initial goals to automate the management of roles, password management, access certifications and access requests. After implementation, SMUD’s IT team saw an immediate improvement in the time it took to onboard and off-board employees. Not only were its employees saving significant time that they were able to put back into more complex projects, but the organization was relieved to gain increased visibility into who had access to applications used across the country.
Over the past few years implementing identity governance, SMUD has been able to automate identity processes, reduce call center tickets with password self-service, and increase adherence to the industry’s strict regulatory standards, such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP).
Tackling Unstructured Data
But things got more complicated when SMUD’s new tools revealed overexposed file shares, which are files living on a shared site such as SharePoint or NetApp, that included sensitive information (for example, Social Security numbers, addresses, credit card information, etc.). These files presented a huge risk to the overall health of the organization. SMUD decided to extend its identity governance program with additional SailPoint tools to help address the concerns of unstructured data.
Unstructured data is information that is not contained in a database or some other type of data structure. It’s easy to forget about unstructured data, but in our era of convenience and constant data sharing on multiple platforms and devices, it’s essential to remember that we are creating unstructured data at higher rates. In fact, analysts predict that 80 percent of enterprise data today is unstructured. Although this data is more difficult to search for and locate, its potential to be breached is just as high.
With its identity governance program extended to include unstructured data, SMUD was able to automatically determine, analyze and control which employees had access to all types of data across on-premises and cloud data repositories. In addition, it was able to search across structured and unstructured data to determine where sensitive information such as credit card information resided, as well as put effective controls in place to manage and protect it.
SMUD’s extended identity governance program even protected against itself. By monitoring native changes in its Active Directory and receiving alerts when someone was added to certain security groups without approval, it could ensure no one circumvented the provisioning process.
Living Up to Its Reputation
By implementing an identity governance program that takes both structured and unstructured data into account, power companies such as SMUD can save copious amounts of employee time, reduce the risk of human error, ease compliance and, perhaps most importantly, give its executives and customers confidence that a strategic security strategy is in place.
If you’re a power company looking to launch your own identity governance program, there are a few things you can do to put the plan in motion:
• Educate. By making an effort to inform everyone in the company, from the C-Suite to the interns, about the need to manage the organization’s identity data, from common sense approaches to avoiding phishing scams to a comprehensive identity governance program, power companies will benefit from an organization-wide focus on security.
• Determine business priorities. Compliance is designed to force good behavior for security, but, as a starting point, a company needs to understand whether they’re focused on improving both or reacting to an issue with one or the other.
• Build a business case. Identity governance automates identity processes, giving valuable time back to employees who would have otherwise spent it processing manual tasks such as onboarding. Amid budget constraints, the ability to save time and money through automation can help fund the broader program.
SMUD’s story demonstrates that through identity governance, power companies can not only achieve more secure operations, but also more effectively comply with regulatory standards—all while giving employees more time to do meaningful work through automation.
About the author: Kari Hanson is the vice president of corporate marketing at SailPoint. Over the past nine years, Kari has helped SailPoint grow from an early venture startup with six customers to a global leader and public company. In addition to driving SailPoint’s brand and telling the company story, Kari has worked directly with SailPoint’s customers to help them share their identity journeys.