Between the explosive growth of enterprise mobility and the increased adoption of cloud services, the number of workforce identities has skyrocketed. Accompanying that increase is a sobering statistic: according to a recent survey by the Identity Defined Security Alliance (IDSA), 79% of security and identity professionals say their company has experienced an identity-related breach in the past two years.
If that figure hits home, you are not alone. The IDSA report, Identity Security: A Work in Progress, describes a landscape where phishing and credential theft are constant threats, and the enterprises most successful at defending against them are implementing identity-focused security controls. Only 34% of those who described their security culture as “forward-thinking” experienced an identity-related data breach in the past year.
Tasked with managing a multitude of devices and users accessing the network from various geographies, security leaders require deeper levels of visibility into enterprise identities to make sound decisions about access. In the age where credential theft is growing alongside technology, building the strongest gates around employees and corporate assets requires they effectively collect, correlate, and analyze information around their users and their activity.
Evolution of Identity
As the remote workforce and cloud adoption has grown, putting identity and access management at the center of security strategy has become even more vital. Due to the COVID-19 pandemic, the shift from having a mostly on-premises workforce to one that is largely remote has increased the number of devices that enterprise IT potentially has no control over that are attempting to access corporate resources. In fact, a recent survey from Trend Micro found that 39% of employees are accessing corporate data from personal devices. The networks the traffic from these devices are not under IT’s control either, meaning they cannot be presumed safe. Despite this, IT must still confidently establish which user is accessing what resource and from what system and make sure everything aligns with corporate policy.
Similarly, the adoption of cloud technologies has put pressure on how businesses control access. A shocking number of data breaches in the cloud happen due to misconfigurations and excessive user permissions. Keeping track of user roles, access, and authorization in increasingly multi-cloud environments creates a challenge for IT departments, and the price of a mistake—such as failing to implement multifactor authentication properly or misconfiguring inbound access rules for uncommon ports—is only getting higher. With IT departments lacking the visibility and control they usually have over on-premises systems, managing access to cloud services and applications is a critical part of the security conversation.
Focus on Identity-Related Security
Putting identity at the center of security requires taking the finer details of user access and weaving it into security conversations.
Basing decisions about authentication on device characteristics, user profiles, and user attributes allows enterprises to enforce more effective access controls by leveraging information ranging from user behavior to technical data about a device. If User A is attempting to access a sensitive database but is suddenly requesting access from a device they do not typically use or from an unusual geographic location, that information can be used to gauge security risk. Correlating this type of information adds a layer of context around access requests that allows enterprises to detect anomalous behavior and prevent attackers from gaining a deeper foothold if they have already compromised a device or a set of user credentials.
From a security standpoint, nirvana is the enablement of this enforcement in real-time. However, many organizations are still lagging on this issue. According to the IDSA report, just 31% said they have fully implemented the use of device characteristics for authentication. The vast majority (98%) of respondents also said failing to focus on such identity-centric security outcomes increases the risk of identity-related breaches.
By integrating security and identity capabilities, enterprises can weave together the information they need to make smarter decisions about authentication and access. Multifactor authentication requirements, for example, can be layered on according to the level of sensitivity of the asset being accessed, an assessment of the user’s risk, and the security posture of their device.
Identity-Centric Security Empowers Businesses
When it is done well, implementing an identity-centric strategy reduces risk and enables business. As workers increasingly go remote and stay remote and enterprises deal with a multitude of cloud services used by their employees, there cannot be a trade-off between ease-of-access and security. Defending against data breaches requires incorporating effective identity posture into security policies. By utilizing deeper visibility into users and devices and enforcing policies in real-time, IT can empower security without compromising business productivity.
About the Author: Doris Yang is the co-leader of the IDSA TWG Beyond Best Practices subcommittee and a Sr Director of Product Management at VMware, where she manages the Identity and Access Management portfolio for Workspace ONE. Prior to VMware, Doris held various Product Management positions at Cylance, Vectra Networks, Palo Alto Networks, PGP Corp, and Symantec.