Identity has rapidly evolved to become organizations’ first line of defense against increasingly sophisticated cybersecurity threats. This evolution has made identity a business enabler and a critical board-level topic.
Identity and Access Management (IAM) programs tend to lurk in the shadows until something goes wrong. But enterprises now have capabilities that haven’t yet been applied to cybersecurity, and IAM within cybersecurity, fueled by data science fundamentals.
Ahead of Cybersecurity Awareness Month, I discussed this topic on the Identity Defined Security Alliance webinar Identity as the First Line of Digital Defense for Cybersecurity with Yash Prakash, Chief Marketing Officer at Saviynt.
A new way of looking at risk
As threat actors’ tactics evolve, enterprises must drive new types of controls that help them confirm individuals’ digital identities. When the behavioral attributes obtained online deviate from expected patterns, enterprises can take action in near real-time to manage the risk without human interaction.
Identity is being widely discussed as the next generation of the perimeter as businesses transform from legacy-based, on-premises environments to cloud-hosted and Software as a Service (SaaS) applications. The design of enterprise controls has to keep pace and evolve away from on-prem to cloud-native apps, using data science to drive model-driven security.
What’s driving the rise of model-driven security?
The pandemic accelerated an IT transformation that had been in the making for decades. It kick-started a shift towards the hybrid enterprise whereby businesses use cloud-hosted or SaaS apps as the norm.
This shift had been held back by people’s reluctance to change. But the sudden shift to the working-from-home model proved that we could be productive without being in the office, and business infrastructure could hold up. As a result, computing architectures no longer need to be routed through private data centers.
The shift also fundamentally changed enterprise controls as on-premises IAM capabilities were substituted for access control in a cloud or SaaS deployment. However, threat actors also adjusted their approach, which meant the core IAM controls had to evolve with the tech. That saw the introduction of edge protection controls, such as using secure browsers rather than the traditional approach of virtual private network (VPN) tunnels.
The use of identity for continuous risk management and verification is well established in fraud management within financial services. But what’s new is the maturity of machine learning algorithms, which enable enterprises to apply identity in a near real-time model.
How to get identity buy-in from senior stakeholders
Just as the work-from-home scenario triggered the acceleration of IT transformation, we have a similar opportunity today. In challenging economic times, enterprise investments have to pay dividends and drive business value.
Enterprises can prove the value of an identity-based approach with benefits including:
Automating access requests
Traditionally, IAM practices relied on human labor to do the heavy lifting. Managers would have to approve employees’ access to resources, which created delays and workflow challenges and frustrated users. But a model-based approach reduces dependency on human behavior and increases reliance on models or near real-time decision-making to remove human involvement.
Automating access requests reduces the risk of user privileges being elevated. This new approach enables enterprises to represent every employee, their entitlements, and how they use them as behavioral indicators. They can express that numerically to identify any deviations from the norm. If the pattern matches, there’s no reason for humans to manage access requests, which enables up to 80% of transactions to be automatically approved. Employees’ frustrating wait times are eliminated, user and manager productivity is boosted, and operating costs are reduced.
Many cyber-attacks use identity compromise as a critical vector, enabling threat actors to move laterally through business systems and create significant damage. Yet businesses remain stuck in a phase of one-time passwords and multi-factor authentication being good enough. But it’s clear that this approach is only good enough for threat actors who would like us to keep it that way.
Enterprises must recognize that traditional password approaches are no longer appropriate. We have to move towards passwordless authentication and then evolve to continuous authentication, which determines whether attributes match the established pattern and enables businesses to take action in real-time. This approach further reduces the risk of an attacker gaining access to corporate resources using compromised identity credentials.
Passwordless tools improve the user experience, remove friction, and enhance security, which can only have a positive economic impact. They reduce the cost of data breaches and account takeover while lower operating costs by dismantling password reset infrastructure. And the result is an authentication experience that’s liked by consumers and disliked by threat actors.
Reduced operating costs
The net result of both the above approaches is higher productivity at a lower cost. Chief Financial Officers (CFOs) are trying to help businesses through volatile economic conditions with limited resources. They are desperate for opportunities to reduce costs, and IAM offers dozens of use cases to upgrade controls.
Instead of designing tools based on human actions, controls need to be based on models taking action with humans stepping back to spot anomalies and make adjustments. Retooling IAM capabilities based on fewer people being involved in transactions means lower operating costs and higher productivity levels. It’s vital to recognize that budget cuts are the best time for businesses to serve up transformation opportunities, and IAM is perfect for this change.
Ensuring IAM is attractive in the future
IAM is new and innovative, enabling employees to learn marketable and cutting-edge skills. IAM needs to improve at meeting employee needs, and proactive employees will take advantage of that, allowing businesses to attract and retain more top talent in the future.
We also need to create a culture of resilience, whereby resilient behavior is consistently demonstrated by business practices. To achieve that, awareness of cybersecurity risk isn’t sufficient. Employees need to understand what decisions they can make to do their job more effectively and make the enterprise more effective. Resilient behavior means continually improving the resilience of processes and applying awareness to everyday decision-making.
Find out more about the role of identity in enterprises’ cybersecurity defenses by watching the webinar in full here.
About the Author: Jim Routh is a transformational security leader with a demonstrated track record of delivering world-class security capabilities to drive positive business results in a digital world. He is a board member and advisor to many companies and the former CISO of MassMutual, Aetna, and American Express.