Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

7/1/2020
02:00 PM
Mike Kiser
Mike Kiser
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

4 Steps to a More Mature Identity Program

Security has evolved to evaluate an identity's attributes, access, and behavior to determine appropriate access.

Certain junctures in history have created unintended dichotomies: haves and have nots, protected and unprotected. In cybersecurity, COVID-19 has shown us whether an enterprise is well ahead of the digital transformation curve or woefully behind. Those who've transformed have also embraced a security approach that de-emphasizes perimeter defense and instead elevates identity.

Many organizations have rushed to provision IT services such as a virtual private network or other access controls to enable a virtual workforce, but identity is much more than merely providing access gateways to resources. Access without oversight merely increases the attack surface for an enterprise. Using identity well means that oversight — known as identity governance — must be in place to ensure that any access provided is useful, appropriate, and necessary.

This kind of wisdom is not mechanical, of course. Identity governance is more than identity management — merely managing accounts and their access, which, when done in a rushed, utilitarian manner, can grant unnecessary and dangerous access to sensitive data and resources. Thus, a short-sighted approach that focuses merely on access can do more long-term harm than short-term good. Identity governance uses a comprehensive view of identity (both human and nonhuman) to evaluate that identity's attributes, access, and behavior to determine what access is appropriate for a given context.

Furthermore, it allows an organization to create a coherent security policy, based on identity, that spans all applications, data, and infrastructure. An audit record can document the successes and failures of this policy. Ideally, using identity in this way is an approach that learns from this historical record and takes input from both machine learning as well as from human insight. Rather than being tactical, identity governance is a strategic investment — it can provide an adaptable approach as identities, infrastructure, and business initiatives evolve.

The resiliency of an identity governance approach has been demonstrated over the last few months, as there has been a rise in workforce volatility: Enterprises are seeing new demands to govern newly remote workers, to onboard new contingent workers, and to pause employment for those being furloughed. These are business-driven demands that cannot be met, securely or at scale, with access alone.

Developing identity as the core of a security strategy — strategically implementing identity governance for an organization — grants this unique blend of contextual awareness and flexibility. Rather than being an optional add-on, it is essential to any enterprise seeking not just to survive in this new reality but to thrive.

Organizations can do four things to rapidly mature their identity program and better secure corporate resources:

  • Perform a full audit. They must audit identities' access to systems, applications, and data across the entire enterprise. Identify weak areas in visibility over users' access to any corporate resource and determine the current status of the identity program today versus its ideal state. Don't forget to determine the level of connectivity among each part of the security environment. And from there, it's important to ensure that every system, resource, and business unit is engaged with the organization's identity governance solution.

  • Embrace automation for all identity processes. Less human involvement is more when it comes to identity governance. Employ innovations such as artificial intelligence (AI) and machine learning (ML) technologies to automate and accelerate decision-making in identity processes. When users either join, move within, or leave the company, access should be modified and checked against security policies to enforce "least access" principles. Enable self-service where appropriate, including password resets and access requests. Build a channel for users to request the procurement of new applications that is driven by ease of use.

  • Get control over data. Sensitive data represents one of the largest attack surfaces for any organization and is ironically a weak spot in most security approaches. A tool that can discover data automatically in both structured and unstructured systems will be extremely beneficial, classifying corporate data and scoring it in terms of risk, marking certain files or repositories as sensitive information. You can't govern what you're not aware of, so it's important to find and classify all data within the enterprise — and extend identity governance to control its use.

  • Regularly review and alter, if necessary, each aspect of the identity program. This includes more than standard processes like meeting audit requirements. Regular review is critical to the success of the program, given the constant changes in the roles and responsibilities of the identities that make up an enterprise. This is another area where AI and ML technology can help make informed decisions.

Identity governance is now an essential for any organization. The world has shifted, and identity must be the foundation of every business around the world.

Related Content:

 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 

Mike Kiser is a security professional with 20 years of experience. He has designed, directed and advised on large-scale security deployments for a global clientele. He recently presented at RSA Conference, Black Hat and DEF CON. Mike co-hosts the podcast, Mistaken Identity, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting