The business landscape continues to evolve rapidly, and with it, the risks of those companies are changing. Whether it’s zero-day threats evading traditional defenses, the impact of digitization on productivity and skills, or the growth of remote work, it’s clear that a holistic approach is required to secure identities to gain access To critical assets, facilities, and infrastructure.
The COVID-19 pandemic has revolutionized how we work and interact within the workspace. A recent study by Frost & Sullivan shows that organizations will not return to pre-pandemic business models. Remote working and hybrid working seem to persist for the long term.
If this is the case, organizations and service providers must put in place controls and safeguards to ensure assets are secured regardless of an employee’s location.
The cloud is a key driver of these changes, with companies increasingly recognizing its role in any technology architecture. However, as more organizations move to the cloud, the organization’s attitude to risk changes.
Many companies have experienced a dramatic shift from the global pandemic in the way they do business, which industry experts see as a massive acceleration of change. Technology roll-out plans to take place over 3 to 5 years were implemented almost overnight.
Changes in the work environment significantly expanded the network perimeter – or made it inert in some areas. The old network perimeter was built around on-site users, endpoints, servers, and software. By comparison, the new boundary includes remote offices and employees, new cloud-based business apps, and a growing number of devices supported by hybrid cloud architecture.
Furthermore, the expanded workforce, including partners, suppliers, contractors, and others not directly employed by an organization, can exacerbate these challenges.
So how do organizations move to the cloud while maintaining a secure foundation throughout the journey? If a security chain is only as strong as its weakest link, the question is, are you willing to find and fix the weakest link? Otherwise, you must be willing to risk exposing the lowest link.
Often that weakest link has to do with identity, the main attack vector of choice for bad actors. Users with excessive privileges and dormant accounts are ripe targets to launch an offensive action against an organization.
IAM is a key element of a zero-trust strategy designed to address the ever-changing nature of attacks. This framework requires all users to be authenticated, authorized, and validated before accessing networks and applications, sometimes with additional confirmation as circumstances change. The basis of zero trust is never to trust, always to verify.
The biggest challenge with zero trust is putting it into practice. That is, identifying how to implement the relevant zero trust technologies to implement a continuous regime of monitoring systems, policies, and responses to verify identities and secure access.
As organizations strive for zero trust, they must identify the workflows, business processes, and how users initiate and interact with those flows. From there, it is necessary to identify risks and map out the proper controls to help keep the organization secure.
As such, it is vital to consider user experiences during the planning and implementation. Friction between an employee and a company’s critical systems can lead to compromised security – carelessness, frustration, or malicious behavior.
Finally, it is imperative to have functional and intuitive auditing and reporting capabilities to ensure that the organization does not build up “security debt” – the painful legacy of legacy and partially integrated systems – and to simplify compliance reporting when needed.
Zero trust priorities vary by industry, so exploring what implementation sequences or tools mean for a company’s risk profile is important. For example, implementing identity-centric and least-privileged access control can have the greatest advantage over micro-segmenting networks or enforcing zero-trust network access on managed and unmanaged devices.
Given the complexity of managing identities in globally distributed businesses, it’s not surprising that zero trust is a somewhat elusive goal.
Creating a step-by-step, phased roadmap that considers the risks to your organization is a big step. Also, partnering with suppliers who can help you along that journey, whether bridging current technology into the future or addressing multiple needs simultaneously, can dramatically simplify your journey.
This planning and design process is crucial. Gartner predicts that 30 percent of large organizations will have publicly shared environmental, social, and governance (ESG) goals focused on cybersecurity by 2026, up from less than 2 percent by 2021.
The ultimate goal is better security, but companies worldwide strive for better business outcomes. Identity and access management planning and management is one step on that path.