#HowTo Adopt an Identity-Centric Security Approach

When it comes time to think about cybersecurity, it is easy to be reactive—to find yourself plugging holes in response to new compliance mandates or a recent data breach. Unfortunately, focusing on problems after they have appeared prevents enterprises from adopting strategies to meet new challenges before they emerge.

Future-proofing the enterprise means breaking out of reactive mindsets and embracing a new reality—one where the growth of cloud services, connected devices, and the consumerization of IT has made identity an even more foundational piece of enterprise security.

Why enterprise security must evolve

In this new world, identity is the fundamental link between users, devices, and cloud applications. Enterprises need to evolve, and those that are placing identity at the focal point of a defense-in-depth strategy are seeing results. According to IDSA’s recent “Identity Security: A Work in Progress” report, only 34% of companies with a “forward-thinking” security culture experienced an identity-related breach in the past year — far fewer than the 59% of companies with a culture characterized as “reactive.”

Forward-thinking companies are defined as those that use an identity-centric security approach to reduce the risk of a breach or failed audit. The case for joining the ranks of these companies is clear: changes to network infrastructure and the perimeter in the form of cloud adoption, the use of mobile technologies, and an increasingly remote workforce have dramatically broadened the attack surface enterprises need to protect and been accompanied by a rise in credential theft.

With users accessing and interacting with enterprise networks in so many ways, integrating the identity and access management (IAM) infrastructure with security solutions enables businesses to make more intelligent decisions about access and policy enforcement.

Critical to this strategy is the ability to propagate the identity context between the actor and the resource through different technology layers, such as endpoints, applications, APIs, and network infrastructure. Details such as geographic location, device characteristics, and login attempts all represent pieces of a picture and should follow the user as he or she tries to access a particular application or system.

If someone is accessing a server with legal documents, for example, that might be fine; but if that user has never accessed that server before and is doing it from an unfamiliar device and location, the risk level associated with the account rises and should trigger additional attestation or enforcement actions. 

By adopting an identity-centric strategy, enterprises reduce the risk of both intrusions as well as the lateral movement of attackers already inside the network. As phishing attacks and credential theft rise alongside the ongoing digital transformation of businesses, future-proofing enterprises against security threats requires an approach that secures the glue that connects users, technologies, and services together.

Becoming forward-thinking: putting identity first

Understanding why you need to get out of a reactive mindset is straightforward, knowing where to begin is not. There is more than one way to achieve identity-defined security. When considering where to invest, enterprises should:

  1. Discover, define, and examine identity types - Identities are not just tied to human beings. When developing an identity-centric strategy, organizations should consider all forms of identity—from end-users to scripts to applications.  
  2. Identify vulnerabilities and risk associated with those identity types - This step involves assessing the risk posed by each of the identity types identified in the previous phase and any potential blind spots. 
  3. Establish the current state of security outcomes - Go through IDSA’s ever-expanding list of security outcomes and identify the gaps in your strategy and infrastructure. As part of this process, emphasize the need for dialogue and cooperation between teams to prevent security and operational silos.
  4. Create a roadmap - The next step is to create a road map and prioritize where to put your energy and budget according to your needs. Core functions such as multi-factor authentication and governance, for example, should be high-priority items. Done well, each step of the roadmap will build upon previous efforts and maximize your security investment. 
  5. Implement security outcomes - Once you have decided where to start, make it a habit to periodically re-evaluate where you are on the journey. As your organization grows, the best way to achieve identity-centric security may change too.

By putting identity at the center of security strategy, security leaders can transition from reacting to the crisis of the day to proactively addressing that and much more. As the needs of enterprise IT evolve, we encourage feedback from our members and others about the list as well.

With strong integration between identity management and security, enterprises can move closer to a Zero Trust environment that raises the bar of entry for attackers and magnifies the impact of every dollar spent on security.

What’s Hot on Infosecurity Magazine?