The lines between information technology and cybersecurity have never been blurrier and that’s causing enterprise organizations to rethink how they approach digital risk management and threat detection and response. The common bond between security and technology is, of course, identity, and leading analysts are recommending that organizations prioritize identity threat detection and response capabilities in their budgets and solutions stacks.
This avalanche of so-called digital transformation shows no signs of slowing, so what does identity threat detection mean for the folks managing this high-speed evolution inside large companies? Let’s take a look at some of the challenges faced by enterprise organizations and explore ways to get ahead of the giant snowball of identity threats careening down the proverbial mountain.
Operational Complexity
Organizations both large and small are being challenged by the operational complexity of their technologies. The sheer number of vendors and each one’s ever-expanding list of integrations with other solutions means that end users of one are often committing changes by association in one or more of the others systems. While this capability often means that output and productivity surge, the flip side is that cybersecurity hygiene in fact plunges. With even just one “system of record” that talks to or integrates with all your other systems, the complexity becomes unmanageable quickly, even within those confines of a one-to-many system. But, what about beyond those confines, where big systems connect with other big systems?
Expanding Digital Footprint aka ‘Identity Sprawl’
Organizations now have entire systems of identity that are business unit-specific, workload-specific, team-specific, and purpose-specific. These systems are not to be confused with identity providers (IdP) such as Okta or Azure AD. Rather, consider any software-as-a-service (SaaS) solution that requires a username and password: that’s a system of identity. For example, Quickbooks is a system of identity. Salesforce is a system of identity. Adobe Creative Cloud is a system of identity, and so on.
With every system of identity comes the aforementioned integrations as well as roles, permissions, groups, and other attributes that are defined (without common standards) by the systems themselves. When you multiply the systems of identity by the number of system-specific attributes and the number of identities, you end up with identity sprawl. Identity threats are born here.
Human Capital Constraints
Identity and access management (IAM) is an operational unit whose roles and responsibilities have evolved from the days of on-premises information technology. Access to devices, applications, and systems has depended on the creation of a corporate identity and permissions granted by the IAM team. What’s potentially unclear, however, and what can lead to some inertia in the heat of cyber battle readiness, is whether IAM is a security or an IT concern. Our view is that it no longer matters.
As we have seen, identity vulnerabilities are fomented by technology sprawl, and the reliance on humans to manage identities breeds yet another insidious risk: identity blindness. As more and more relationships are created between devices, attributes, identities and permissions, it becomes increasingly difficult to see and keep track of which identities are doing what.
Expecting people to keep up with machine-scale efficiency is a losing battle from day one. After all, that’s why machines were invented – to work faster than humans. Even if you could fill every role you think you need (there’s a massive talent shortage), their capacity for identity threat detection and response would soon be exceeded.
So, what to do about these challenges? Clearly, people alone cannot be expected to keep up with machines when it comes to identity threat detection and response. As it turns out, people are actually an essential solution to mitigating identity vulnerabilities, but it’s more about where they sit in the chain of command than their ability to keep up.
Distribute Decisions
With the boundaries between security and IT effectively gone at an operational level, the decision-making process around identity and access management should follow suit. Access management decisions should be made closer to the business unit and to the actual people who know what an identity should be able to do (or not do). Distributing the decisions on access management to a lower level of operational authority (such as to direct managers) means that individual identities are less likely to be over-permissioned inadvertently by some arbitrary group assignment or inheritance. This results in fewer identity vulnerabilities at scale.
Adopt Identity-First Security
With over 60% of breaches resulting from the misuse or abuse of valid credentials, it makes perfect sense to entirely reframe identity and access management as identity-first security. The chain of custody on access is only getting more opaque with every additional system of identity, and identity threat detection and response will need to become a priority for enterprise organizations in order to get and stay ahead of the risks resulting from identity blindness and sprawl.