Why identity governance is a key priority for New Zealand government agencies

Agencies should invest in robust cybersecurity infrastructure, regularly update security policies and protocols, and educate employees on best practices, writes Raymond Dickinson, Business Leader New Zealand at SailPoint.

New Zealand government agencies have long been challenged with protecting personal information and maintaining individuals’ privacy as they collect and store vast amounts of sensitive data. As government agencies increasingly rely on digital technologies to meet evolving demands and improve efficiency, the need for a secure and effective digital strategy has become even more paramount.

The digital identity environment in New Zealand has been lacking consistent standards, although the introduction of the Digital Identity Services Trust Framework Bill earlier this year is the step in the right direction to finally provide New Zealanders with better control over their identity information and how it’s used by companies and services they share it with.

Yet the rising threat of cybersecurity attacks, data breaches, and unauthorised access to sensitive data, means government agencies must also replace outdated, clunky legacy platforms to ensure that their systems are secure and protected.

Recently, Stats NZ - responsible for linking administrative data collected by individual government agencies through the course of their work and through surveys into a central repository - admitted that it had been breached more than 100 times, with information on nearly all New Zealand residents exposed.

Although digital transformation has delivered numerous benefits to organisations, it has also led to a surge in the number of human and non-human identities created, resulting in an increased number of security breaches. According to an Insights Report by the New Zealand Privacy Commission, 54% of large organisations recorded breaches that were from ‘intentional or malicious activity’.

Despite this, Identity Security is still not receiving the attention it deserves.

Why Identity Governance should be a priority to prevent cyberattacks

Identity security is critical to maintaining the integrity and confidentiality of government data and must be a top priority for all agencies.

Many cyber-attacks begin with the acquisition of valid credentials, which malicious actors steal or compromise to access the network, study the environment, elevate their privileges, and strike when everything aligns in their favour. Having visibility over “access at rest” is crucial to prevent such attacks.

Identity governance is essential for ensuring users have appropriate access to sensitive data and systems within an organisation, and to track and detect any suspicious behaviour or possible security breaches. Incorporating identity governance into a modern zero-trust security model can play a crucial role in mitigating these risks.

Combining AI and advanced analytics with identity governance also enables government agencies to monitor user activity, detect potential threats, and stay ahead of cyberattacks.

As government agencies migrate to the cloud, adopting a zero-trust security model that places identity at the core of its security strategy is crucial.

The cost of doing nothing

Legacy platforms are often outdated and lack critical security features such as two-factor authentication, making them vulnerable to malicious actors as they don’t use modern encryption protocols.

Moreover, keeping obsolete infrastructure increases operational costs as there is an additional need to maintain hardware that may be difficult or impossible to replace. Outdated systems also hinder productivity and collaboration within an organisation as they are less efficient and user-friendly.

A lack of budget or the ability to justify the importance of investing in a true SaaS identity management solution is unfortunately one of the main roadblocks to implementing an Identity Security strategy and the main challenge identified by over half of New Zealand organisations according to SailPoint’s State of Identity in ANZ study. This is often because Identity Security is not something tangibly visible to a government agency’s customers, such as citizens, making it challenging to justify the budget allocation.

Educating key stakeholders within government agencies about the impact and risks of not having proper solutions and protocols in place will be crucial to highlight their vulnerability to cyberattacks, and the impact outdated infrastructure has on overall operations and government workers productivity and efficiency.

Consolidating identity

Consolidating identities is another key challenge for government agencies, as many individuals may have multiple identities for different systems, making it difficult to manage access rights and track user activity across platforms.

A modern identity management solution streamlines access rights, enhances visibility and control, and reduces the risk of unauthorised access to sensitive data by establishing a single source of truth for user identities.

Getting identity security right is a complex task that requires people, processes, and technologies to work harmoniously together.

To address these challenges, New Zealand government agencies should invest in robust cybersecurity infrastructure, regularly update their security policies and protocols, collaborate with other agencies and industry experts, and educate their employees and users about best practices in identity security. This will enable them to prioritise identity security in their overall cybersecurity strategy and enhance protection of sensitive data.