Managing Identity Across Clouds Critical to Enterprise Security

The continued growth of cloud-based operations and remote work has made managing identities — especially those of privileged users — increasingly important but also increasingly complex, pushing security firms to search for ways to give businesses better monitoring and control capabilities.

With the average company using nearly 100 different applications, and workers needing a different identity for each one, managing identity and controlling access needs to be a greater priority, says Alex Bovee, CEO and co-founder of identity and access management (IAM) provider ConductorOne.

"These companies ran out and they adopted tons of cloud, maybe they've got some on-prem stuff, they've got an HR directory, and now things are like a bit of a mess," Bovee says. "And the reality is that identity is the most important asset you have in your organization, and it's woefully unprotected."

ConductorOne offers Access Fabric, a platform that centralizes identity information from different cloud platforms and across on-premise applications. The Access Fabric platform allows not only monitoring of identities across the business, but also automation and control of provisioning and anomaly detection.

Understanding the Magnitude of the Challenge

Consolidating identity information becomes important as the number of cloud services, on-premise applications, and human-resource controls increases. Consider these facts: the average company uses 98 different applications (Okta's Businesses at Work 2023 report); the root cause of most breaches boils down to stolen credentials and identity (Verizon's 2023 Data Breach Investigations Report); and most identity-based breaches (67%) lead to a direct impact to business (Identity Defined Security Alliance's 2023 Trends in Identity Security report).

Managing workers' identities and access is critical to preventing breaches. More important to the organization's bottom line – managing identity and access can reduce the cost compromises when they happen. The average cost of a breach is $4.45 million, according to IBM's Cost of a Data Breach report, but companies that deployed IAM tools reduced those costs by $180,000 on average.

Add in the identity requirements of different cloud providers and machine identities, and the problem only grows, says Geoff Cairns, a principal analyst with Forrester Research.

"IAM is more complicated [and] complex when managing across both cloud and private environments — more overhead, more diverse operations that need to be accounted for, and more difficult to get visibility to risks and threats, but I think that is only part of it," Cairns says. "Managing IAM — and by extension privileged access — becomes more difficult given the dynamic nature of cloud identities as well as the workforce trends of 'anywhere work' and the extended enterprise, [such as] partners [and] service providers."

Identity Visibility Needed to Stop Breaches

The complexity of managing identities and access has hampered the cybersecurity industry segment. Companies that experience high rates of turnover, smaller firms, and those without a technical IT or information-security team are all less likely to have good visibility and control over identities and permissions, says Sean Heide, technical research director at the Cloud Security Alliance.

Companies that do not have a plan or enough resources in place, run the risk of misconfiguring their IAM or PAM solutions, potentially leading to loss of access or disruptions, Heide says.

"You need a well thought out plan in place before deploying a PAM solution to ensure you are covered from any of the aforementioned negative impacts," Heide says. "It doesn't need to be difficult, but it will be time consuming."

In the identity and access management segment, Microsoft, Okta, Ping Identity, ForgeRock and IBM are the leading companies, while BeyondTrust, CyberArk, and Delinea are the three companies leading privileged access management (PAM), according to Gartner.

Companies should place a priority on IAM and PAM, but their cloud plans should figure into their planning, because cloud does have a major impact on the end strategy, says Forrester's Cairns.

"Customers easily fall into the trap of being led by the technology and not focusing on their own priorities and processes," Cairns says. Rather than starting small with achievable milestones, they take a "boil-the-ocean approach."

Managing Identity Regularly Tops List

The Cloud Security Alliance's top threats report regularly features identity issues as the top threats. In the Top Threats to Cloud Computing: Pandemic 11 Deep Dive report, for example, "insufficient identity, credentials, access, and key management" is ranked No. 1. Despite that, 58% of IT teams have not deployed PAM because it is too expensive and two-thirds say any deployment would likely be scaled back during a downturn, according to a Keeper Security report released in December.

Companies should buck the trend and prioritize IAM and PAM, says CSA's Heide.

"We always say in security that the employees are the first line of defense," he says. "Well as practitioners we can't help them be that defensive structure if we aren't supplying them with secure authentication and authorization routes. ... The biggest key here is understanding permission levels across your business, who has access to what, and potentially look into data labeling so when the time comes, you know what role can access what file or system."

Gaining that visibility is one of the key reasons ConductorOne developed the Access Fabric, says Bovee. By consolidating all identity and access data in a single data layer, companies can easily access details and set granular access controls.

"You can ask the question, who has super admin access to my Google workspace, or how did they get that access, and [you can see] the relationship between that permission and what resources or data people can read on different services," Bovee says. "It really lets you understand, first of all, who has access to what, and then the authorization paths [showing] how people are granted that access and what that access actually allows them to do."

And that understanding is a critical step toward securing businesses against modern attacks, he says.