Why SA businesses need highly-integrated IAM strategy

Wehann Kritzinger, cyber security software specialist, iOCO South Africa.

---

Businesses are faced with mounting pressure in the midst of global digital-first economies. South African organisations are not immune to this trend.

With increasing cyber crime and stringent regulatory compliance mandates, such as the Protection of Personal Information Act (POPIA), managing how data is being processed is no longer a choice – it is essential to have an integrated identity and access management (IAM) strategy.

According to PwC, businesses are turning to good governance to reap the wider benefits that it brings by developing their governance to become more efficient and effective in the management of business compliance, risks and opportunities.

PwC notes, among other significant issues, that mitigating the negative impact of poor compliance and/or cyber breaches is key to sustainable business growth and stakeholder confidence. The professional services firm − with a global network that covers accounting, audit, tax and advisory services − highlights some of the issues that face all business entities, including:

• Business risks and opportunities need to be clearly defined if strategic business decisions are to be improved.

• Compliance failure penalties must be firmly on a company’s radar if it is to manage risks and avoid reputational damage – the latter is often more damaging than the punitive fines.

• The challenge of meeting the compliance demands of investors, legislators, regulators, customers, employees and all stakeholders.

• Escalating compliance costs.

• The need to improve business processes to embed compliance and mitigate inherent business risks.

• Pressure to reduce compliance failure incidents.

Global research guru Gartner’s perspective on the development of an IAM strategy emphasises identity-first security and zero-trust architecture, advocating for incremental projects and adaptive trust. It notes the integration of a composable cyber security mesh architecture to achieve security, compliance and business enablement goals is essential.

Implementing a multilayer identity and access management architecture is essential to support zero-trust initiatives and enhance systems interoperability. It is essential that South African businesses have a clear, consistent view on risk and risk appetite.

Compliance is the main thread that runs through all digital transformations in business. For local firms, POPIA, the Financial Sector Regulation Act, plus international regulations like GDPR (in case of EU data handling) impose rigorous constraints regarding the management/handling of user identity and data.

The only way to comply with these mandates is through the implementation of a well-integrated IAM methodology that will ensure:

• Centralised control: direct visibility into what is accessed and by whom, thus avoiding unnecessary data exposure.

• Automated reporting and auditing, simplified compliance reporting that satisfies the regulators without overburdening internal resources.

• Policy-based access, dynamic controls that enforce the least-privilege principle and adopt local compliance models.

One report from earlier this year lists South Africa as the most targeted nation for cyber crime in Africa, experiencing the highest volume of ransomware and info-stealer attacks on the continent.

This vulnerability stems from a relatively strong digital economy and large potential targets like individuals and businesses, but also due to challenges in cyber security investment, legislation, law enforcement and a shortage of skilled personnel, particularly in the public sector – which is cited as the most attacked arena after financial institutions.

Compliance is the main thread that runs through all digital transformations in business.

Unsecured identity controls are the number one cause of incidents, attackers exploit bad password practices, inactive accounts and an absence of authentication layers. This is where a well thought out IAM strategy can make a huge difference through:

• Multi-factor authentication, reducing password reliance and making account takeover much more difficult.

• Zero-trust practices, authenticating all users, endpoints and requests to access, irrespective of where they come from.

• Identity life-cycle management, whereby access can be withdrawn in real-time when employees leave a company or move within an organisation to a different role.

End-users – regardless of whether they are customers or employees − need frictionless, instant, trusted access to digital services. An identity system that breaks down can hamper productivity, frustrate users, destroy customer loyalty and lose business.

A consolidated IAM strategy improves user experience through:

• Single sign-on – this enables workers to login once and access all their required applications in a secure way.

• An adaptive access policy – this leverages contextual data (behaviour, device, location) to reduce unnecessary login friction.

• Agile digital solutions – these facilitate mobile-first initiatives, remote collaboration, and customer-facing applications without security compromise.

To South African enterprises, IAM is not just a security tool but a strategic digital transformation enabler. By adopting security and compliance through identity processes, businesses can leverage cloud services, transform customer engagement and expand digital realms.

Within South Africa's continually changing cyber threat and regulation environment, IAM is not merely a matter of access control, but more about enabling trust, compliance and business development. A well-integrated IAM approach guarantees compliance and provides customers and employees with the seamless experiences they require.

The conundrum facing South African businesses today is how to incorporate IAM into a digital strategy while remaining secure, competitive and ultimately sustainable.