Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

02:00 PM
Mike Kiser
Mike Kiser
Connect Directly
E-Mail vvv

4 Steps to a More Mature Identity Program

Security has evolved to evaluate an identity's attributes, access, and behavior to determine appropriate access.

Certain junctures in history have created unintended dichotomies: haves and have nots, protected and unprotected. In cybersecurity, COVID-19 has shown us whether an enterprise is well ahead of the digital transformation curve or woefully behind. Those who've transformed have also embraced a security approach that de-emphasizes perimeter defense and instead elevates identity.

Many organizations have rushed to provision IT services such as a virtual private network or other access controls to enable a virtual workforce, but identity is much more than merely providing access gateways to resources. Access without oversight merely increases the attack surface for an enterprise. Using identity well means that oversight — known as identity governance — must be in place to ensure that any access provided is useful, appropriate, and necessary.

This kind of wisdom is not mechanical, of course. Identity governance is more than identity management — merely managing accounts and their access, which, when done in a rushed, utilitarian manner, can grant unnecessary and dangerous access to sensitive data and resources. Thus, a short-sighted approach that focuses merely on access can do more long-term harm than short-term good. Identity governance uses a comprehensive view of identity (both human and nonhuman) to evaluate that identity's attributes, access, and behavior to determine what access is appropriate for a given context.

Furthermore, it allows an organization to create a coherent security policy, based on identity, that spans all applications, data, and infrastructure. An audit record can document the successes and failures of this policy. Ideally, using identity in this way is an approach that learns from this historical record and takes input from both machine learning as well as from human insight. Rather than being tactical, identity governance is a strategic investment — it can provide an adaptable approach as identities, infrastructure, and business initiatives evolve.

The resiliency of an identity governance approach has been demonstrated over the last few months, as there has been a rise in workforce volatility: Enterprises are seeing new demands to govern newly remote workers, to onboard new contingent workers, and to pause employment for those being furloughed. These are business-driven demands that cannot be met, securely or at scale, with access alone.

Developing identity as the core of a security strategy — strategically implementing identity governance for an organization — grants this unique blend of contextual awareness and flexibility. Rather than being an optional add-on, it is essential to any enterprise seeking not just to survive in this new reality but to thrive.

Organizations can do four things to rapidly mature their identity program and better secure corporate resources:

  • Perform a full audit. They must audit identities' access to systems, applications, and data across the entire enterprise. Identify weak areas in visibility over users' access to any corporate resource and determine the current status of the identity program today versus its ideal state. Don't forget to determine the level of connectivity among each part of the security environment. And from there, it's important to ensure that every system, resource, and business unit is engaged with the organization's identity governance solution.

  • Embrace automation for all identity processes. Less human involvement is more when it comes to identity governance. Employ innovations such as artificial intelligence (AI) and machine learning (ML) technologies to automate and accelerate decision-making in identity processes. When users either join, move within, or leave the company, access should be modified and checked against security policies to enforce "least access" principles. Enable self-service where appropriate, including password resets and access requests. Build a channel for users to request the procurement of new applications that is driven by ease of use.

  • Get control over data. Sensitive data represents one of the largest attack surfaces for any organization and is ironically a weak spot in most security approaches. A tool that can discover data automatically in both structured and unstructured systems will be extremely beneficial, classifying corporate data and scoring it in terms of risk, marking certain files or repositories as sensitive information. You can't govern what you're not aware of, so it's important to find and classify all data within the enterprise — and extend identity governance to control its use.

  • Regularly review and alter, if necessary, each aspect of the identity program. This includes more than standard processes like meeting audit requirements. Regular review is critical to the success of the program, given the constant changes in the roles and responsibilities of the identities that make up an enterprise. This is another area where AI and ML technology can help make informed decisions.

Identity governance is now an essential for any organization. The world has shifted, and identity must be the foundation of every business around the world.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Mike Kiser is a security professional with 20 years of experience. He has designed, directed and advised on large-scale security deployments for a global clientele. He recently presented at RSA Conference, Black Hat and DEF CON. Mike co-hosts the podcast, Mistaken Identity, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.