Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

7/1/2020
02:00 PM
Mike Kiser
Mike Kiser
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Steps to a More Mature Identity Program

Security has evolved to evaluate an identity's attributes, access, and behavior to determine appropriate access.

Certain junctures in history have created unintended dichotomies: haves and have nots, protected and unprotected. In cybersecurity, COVID-19 has shown us whether an enterprise is well ahead of the digital transformation curve or woefully behind. Those who've transformed have also embraced a security approach that de-emphasizes perimeter defense and instead elevates identity.

Many organizations have rushed to provision IT services such as a virtual private network or other access controls to enable a virtual workforce, but identity is much more than merely providing access gateways to resources. Access without oversight merely increases the attack surface for an enterprise. Using identity well means that oversight — known as identity governance — must be in place to ensure that any access provided is useful, appropriate, and necessary.

This kind of wisdom is not mechanical, of course. Identity governance is more than identity management — merely managing accounts and their access, which, when done in a rushed, utilitarian manner, can grant unnecessary and dangerous access to sensitive data and resources. Thus, a short-sighted approach that focuses merely on access can do more long-term harm than short-term good. Identity governance uses a comprehensive view of identity (both human and nonhuman) to evaluate that identity's attributes, access, and behavior to determine what access is appropriate for a given context.

Furthermore, it allows an organization to create a coherent security policy, based on identity, that spans all applications, data, and infrastructure. An audit record can document the successes and failures of this policy. Ideally, using identity in this way is an approach that learns from this historical record and takes input from both machine learning as well as from human insight. Rather than being tactical, identity governance is a strategic investment — it can provide an adaptable approach as identities, infrastructure, and business initiatives evolve.

The resiliency of an identity governance approach has been demonstrated over the last few months, as there has been a rise in workforce volatility: Enterprises are seeing new demands to govern newly remote workers, to onboard new contingent workers, and to pause employment for those being furloughed. These are business-driven demands that cannot be met, securely or at scale, with access alone.

Developing identity as the core of a security strategy — strategically implementing identity governance for an organization — grants this unique blend of contextual awareness and flexibility. Rather than being an optional add-on, it is essential to any enterprise seeking not just to survive in this new reality but to thrive.

Organizations can do four things to rapidly mature their identity program and better secure corporate resources:

  • Perform a full audit. They must audit identities' access to systems, applications, and data across the entire enterprise. Identify weak areas in visibility over users' access to any corporate resource and determine the current status of the identity program today versus its ideal state. Don't forget to determine the level of connectivity among each part of the security environment. And from there, it's important to ensure that every system, resource, and business unit is engaged with the organization's identity governance solution.

  • Embrace automation for all identity processes. Less human involvement is more when it comes to identity governance. Employ innovations such as artificial intelligence (AI) and machine learning (ML) technologies to automate and accelerate decision-making in identity processes. When users either join, move within, or leave the company, access should be modified and checked against security policies to enforce "least access" principles. Enable self-service where appropriate, including password resets and access requests. Build a channel for users to request the procurement of new applications that is driven by ease of use.

  • Get control over data. Sensitive data represents one of the largest attack surfaces for any organization and is ironically a weak spot in most security approaches. A tool that can discover data automatically in both structured and unstructured systems will be extremely beneficial, classifying corporate data and scoring it in terms of risk, marking certain files or repositories as sensitive information. You can't govern what you're not aware of, so it's important to find and classify all data within the enterprise — and extend identity governance to control its use.

  • Regularly review and alter, if necessary, each aspect of the identity program. This includes more than standard processes like meeting audit requirements. Regular review is critical to the success of the program, given the constant changes in the roles and responsibilities of the identities that make up an enterprise. This is another area where AI and ML technology can help make informed decisions.

Identity governance is now an essential for any organization. The world has shifted, and identity must be the foundation of every business around the world.

Related Content:

 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 

Mike Kiser is a security professional with 20 years of experience. He has designed, directed and advised on large-scale security deployments for a global clientele. He recently presented at RSA Conference, Black Hat and DEF CON. Mike co-hosts the podcast, Mistaken Identity, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...