Creating unified identity security: the importance of identity-centred approaches to cyber-resilience

Companies have historically focused their security efforts on securing the infrastructure perimeter and using firewalls to defend against outside attacks, said Stuart Sharp in his introduction to a TEISS breakfast briefing at The Ivy, Tower Bridge, London. Sharp, EMEA Technology Strategist at One Identity, noted that as identity theft grows, and with more breaches originating inside the firewall, there is a greater need to control access to systems by managing identities.

Attendees at the briefing, all senior security experts from across a range of sectors, debated the challenges and opportunities of putting identity at the centre of cyber-resilience approaches. The picture they painted was one in which a perfect solution seems forever out of sight, even though tremendous progress has been made in recent years.

Identity and Zero Trust

Access controls are always at the top of the risk report, many attendees agreed, and it is a constant challenge to make progress. What is fundamental is securing critical data and moving out from there, rather than trying to create the perfect identity-centred approach.

Identity is at the centre of Zero Trust security, which does not trust by default any system or device seeking to access the network. The user must be identified and verified in all cases. Since pretty much every organisation has Zero Trust on the radar, many businesses are looking at their identity security provision. Zero Trust isn’t easy, and one attendee suggested more automation would make it easier.

Aside from the challenges of Zero Trust, one issue common to all attendees is the difficulty in tracking user permissions. One way to weaken credentials is to have too many, and users are often stuck with multiple accounts for different systems, most of which don’t talk to each other. On each system they might have different privileges and, very often, retain privileges they no longer need but which nobody has thought to remove.

Growing complexity

As attendees pointed out, this gets more complicated when a person’s role changes, which often entails a change in permissions. Newly acquired companies have employees – and their systems – who must be integrated. And then there are the devices, robotic processes and other “users” on the system that aren’t people but still require an identity.

It’s a complex picture and one that is further complicated by the changing nature of security threats, which often require processes to be updated or revised entirely. Even putting in a completely new system doesn’t help because, unless you are at a start-up, there will be some element of legacy to deal with.

Tackling this can be time-consuming and costly, and many attendees said they had found it difficult to make the case to the board that it needed to be done. It is the kind of project that the board sees only as a cost, with no clear benefit. As with a lot of security investments, the benefit comes with avoiding the disruption when something goes wrong.

‘Never waste a breach’

That’s why breaches and failed audits are often points when the board agrees to make the budget available. In the words of one attendee, “a breach or a failed audit should never be wasted”. Those opportunities do not always come along when required, so attendees said it can also be possible to build support from the board by developing the risk profile. If the board understands how improved identity management and security can reduce risk then they may be more co-operative.

Another option is to emphasise the efficiency benefits. A single sign-on system, for example, is good for security and better for users who don’t have to remember multiple logins and can work more smoothly. Showing the board the metrics can be helpful too: discrepancies in the number of accounts compared with joiners, movers and leavers, for example, or the number of orphan accounts.

Keeping track of everything is always difficult, but one way to do it better, attendees suggested, is with a configuration management database (CMDB), which offers a complete view of the hardware and software in the IT estate and how each component relates to the others. The downside is that it requires significant effort to get the right data into it from the outset, and many organisations don’t have the resources.

Even so, there is low-hanging fruit available for every organisation in the form of single sign-on and multi-factor authentication, said Alan Radford, EMEA Technology Strategist at One Identity, summing up the briefing. He said he was struck by how organisations are still wrestling with the same problems they were several years ago. The challenge is to continue to recognise and consolidate security silos, while still enabling the business and removing friction.