The last 12 months have accelerated a shift to a more complex hybrid workforce that has affected almost everything in the corporate world and beyond—and for an increasing number of companies, things aren’t going to go back to the pre-pandemic version of normal. A Gartner survey in July 2020 found that 82 percent of business leaders anticipated allowing employees to work remotely at least some of the time for the foreseeable future and long after the pandemic subsides. Among the many things these changes have had a significant impact on is identity; specifically, on identity governance and access management.
Identity is the Perimeter
For years now, many people have been saying that identity is the “new” perimeter, but it’s no longer new. This notion didn’t arise because of the pandemic and the resultant increase in remote working, but it has taken on an increased urgency during the past year. While remote working isn’t a new concept, there has been a large and sudden switch from people working within enterprise networks that are closely monitored and secured to largely unmonitored and often insecure Wi-Fi networks at home.
This shift to employees logging on from outside the reach of perimeter-based security solutions changes the nature of attack vectors facing companies. It can increase the attack surface if not managed effectively. This change also impacts temporary, third-party and vendor identities who need access to corporate systems and applications—a process that’s not without its own challenges.
The requirement to employ Zero Trust, ensuring identity verification for all users and devices attempting access from inside or outside the old traditional security perimeter, exemplifies that identity is the perimeter.
A More Holistic Identity-Centric Approach is Needed
Many of the long-standing challenges relating to identity and access management have remained largely unchanged, but the move to remote work has emphasized the need for a more holistic identity-centric approach to security. Integration with complimentary technologies is key to enabling this.
Authentication and identity providers ensure your identities are securely accessing your resources using two-factor or multi-factor authentication. User Endpoint Behavior Analytics (UEBA) solutions can baseline normal user behavior and require step-up authentication or take preventative action where threats are detected. Privileged Access Management (PAM) can secure the most sensitive access, providing credential and session management.
Other integration considerations should be made, but good old-fashioned identity governance and administration is at the center of this approach.
Three Simple Elements to Managing Identity Effectively
A best-in-class identity strategy has three simple elements, the first of which is strong identity lifecycle management. Having strong identity lifecycle management processes, which include third parties and vendors, is critical for managing identity-related risk.
These processes ensure organizations can provide the right users, with the right access, at the right time and for the right reasons. Well-defined Joiner, Mover and Leaver (JML) processes—combined with identity analytics that enable more informed decisions during access request and access review processes—will simplify enforcement of the level of least privilege and mitigate other risks such as orphaned accounts or terminated/dormant identities with active access.
The second element is data quality regarding your identities and the systems and applications that need to be managed. Poor data quality is a leading cause of problems with identity and access management as this data feeds directly into (and often triggers) your identity lifecycle management processes.
First and foremost, you must have an accurate feed of who all the identities are within your organization. Without this, your JML processes will be ineffective, leading to decreased efficiency around Joiners/Movers getting the access they need and an increase in risk where Movers/Leavers retain access they should no longer have or that should have been deleted or disabled.
The quality of data being gathered from your applications and systems is equally important. Good data quality practices—including meaningful business names and descriptions, standard account and resource naming conventions, defined data and resource owners, the use of unique identifiers/mapping attributes, and classifying and categorizing resources such as accounts and permissions—will deliver meaningful benefits. These benefits include automatic mapping of access back to the appropriate identities, improved end-user experience with user access request and review processes, and the ability to enforce granular control over your access.
Risk-based identity management is the third element of this approach. Good data quality will allow you to identify your personally identifiable information (PII); financially sensitive and privileged access/data and the identities that can access it. Applying a risk score to this access and the related identities will allow the appropriate level of control to be applied. Higher risk will require more frequent review or multiple levels of approval. Doing this effectively will allow you to focus on the access that matters and counteract problems such as review fatigue while having demonstrable control over your most sensitive data.
Underpinning this, education across your entire organization and investment in the people managing the processes and technology to support these elements is crucial for success.
Putting Identity at the Center of What You Do
Organizations had already begun to understand the concept of Identity being the perimeter in relation to security, but the changes wrought last year due to the pandemic have brought this sharply into focus. Being able to demonstrate that you know who the people are that are accessing your systems and data, and that the access they have is appropriate, has never been more relevant or important.
By putting identity at the center of what you do and getting the basics right, your organization will be able to tackle the new security challenges facing you in the most efficient and secure manner.
Craig Ramsay is Solution Engineer for Omada.