Vice President and Country General Manager – Canada
Optiv Security
Sometimes we all need to take a step back to see the proverbial forest for the trees. When we look at today’s cyber security landscape, we see that nearly all hacks are related to identity. And yet, when we look at the world of cyber security, we see that identity and access management (IAM) lags other categories of security investment. People are getting so caught up in the cyber security whirlwind of new threats, regulations and skills shortages that they’re not paying attention to the most basic issue at hand: it all starts with identity.
Why don’t organizations invest more in IAM when it is arguably the most critical function of any security program? It’s usually because of one or more of the following reasons:
- There is a widespread perception that IAM is difficult to deploy and manage, so organizations tend to invest just enough to meet regulatory compliance requirements, and nothing more.
- IAM systems tend not to fare well with organizations using traditional return-on-investment (ROI) metrics when evaluating security spend. Tools with easy-to-measure functions, such as “malware detected,” or “man-hours saved,” will beat out IAM in these cases.
- IAM is often an “orphan” discipline within security organizations with no clear owner, which can lead to confusion.
- Many organizations think of IAM as a point-in-time project, and thus believe “we’ve already done that.”
Unfortunately, these gaps in security programs leaves enterprises extremely vulnerable to data breaches. Attackers almost always start by compromising credentials – and from there, they use those credentials to move to other levels of privilege until they can reach their ultimate goal: data.
The remedy to this is clear – IAM needs to be elevated within organizations’ security programs and roadmaps. Historically, network intrusions were caused by a compromise of perimeter defenses. Today, compromised identities are fueling the global breach epidemic. This problem is growing ever-more acute as enterprises move to the cloud, and extended workforces and partner ecosystems become even more distributed and diverse. The single most important thing any organization can do to prevent data breaches in this environment is to provide ubiquitous identity management – or identity-defined security. Identity today is more than the new perimeter; it is the core language of security.
Battle plans: Moving to identity-defined security
Identity compromise is the greatest threat to every IT and security initiative today: from mobility, to cloud, third-party risk management, regulatory compliance and the internet of things (IoT). The only way to break the cycle of data breaches and reduce risk in this environment is to move to a paradigm of identity-defined security. This is easier said than done. However, the time and money spent on this transition will provide enormous positive returns by making your organization an unattractive target to hackers. Or another way to think of it: If you don’t invest in identity-defined security, you will remain an inviting target to hackers, who will compromise your security strategy and ruin the ROI of your security spend by exploiting your Achilles heel: weak identity controls.
The first step to achieving identity-defined security is to commit to it, and that means making a strategic investment in a programmatic approach to IAM. Once you’ve done that, you will need to start with the basics: developing a prioritized IAM roadmap which includes business drivers, current-state challenges, and future-state recommendations; then establishing a universal understanding of every person who works for your organization or with your organization, and exactly what access they have at all times. Key access considerations include people who have access to personally identifiable information (PII), source code and intellectual property (IP), human resources data, and so on.
Once this information is understood, you can move forward with basic controls such as access control, access governance, and user lifecycle management. With these controls in place, you’ve set the foundation for identity-defined security and can move on to more advanced controls.
Winning the war
Moving to identity-defined security may seem like a major shift in strategy and investment. But if you think about it, it is not a “shift” at all, because it dramatically strengthens your existing security program. With strong identity controls in place, you will make it much more difficult for adversaries – internal and external – to defeat your existing security tools and controls, which means IAM improves the ROI of your entire security program.
A solid identity-defined security program will also dramatically reduce the time and effort needed to respond to compliance and audit requirements. As most security pros know, these audits have become increasingly complex and expensive, and this problem becomes inflamed when there is not a strong IAM infrastructure with robust reporting in place, because identity controls are always a major focus of regulatory compliance audits.
Identity is the new core language of security. The best way for organizations to become fluent is to take a fresh look at IAM and move to a model of identity-defined security.