Identity Governance Blog

Rethinking Security When Identity is the Ultimate Attack Surface

By Craig Ramsay, Senior Solution Engineer at Omada

September 24, 2021

The quick shift to remote work because of the pandemic sped up the transition to more employees working remotely. Analysts at Gartner discovered in mid-2020 that 82% of business leaders intended to let employees work remotely at least part of the time, even once COVID-19 restrictions eased. What we’re now seeing is a shift towards a hybrid approach. This change affects many areas of business, including increasing the need for robust control of identity-related risk. Legacy identity governance and administration (IGA) solutions are struggling to keep up with this new hybrid environment, and the need for modernizing IGA architecture is clear.

The Ultimate Attack Surface: Identity

As people and connected devices have moved farther from the office, identity has become the new perimeter. Of course, this concept did not arise due to the pandemic’s increase in remote working. Still, it has increased urgency with the large, sudden switch from people working within enterprise networks that are closely monitored and secured to largely unmonitored and often insecure Wi-Fi home networks.

Attack vectors have changed due to this shift of employees logging on from outside the reach of perimeter-based security solutions and increased uptake of cloud-based applications and services. This larger attack surface can leave organizations vulnerable. This change also impacts temporary, third-party and vendor identities. Identity is the new control plane and central to the implementation of a zero trust strategy.

Modernization and Integration

The above changes have emphasized the need for a more holistic, identity-centric, modern approach to security. Modernizing your IGA architecture and integration with complimentary identity technologies is key to enabling this.

Gartner estimates that within the next two to three years, 63% of organizations will move or have already moved their IGA architecture into the cloud — as either a cloud-hosted or cloud-architected solution. Modern IGA solutions will also allow for flexible integration with standard connectivity frameworks, such as SCIM 2.0, OAUTH, SOAP and REST, and make use of identity analytics and integrations to improve end-user experience, operational efficiency and risk management.

Integration with complementary technologies such as privileged access management (PAM), data access governance (DAG) and cloud infrastructure and entitlement management (CIEM) is important. However, what’s also important is how these integrations fit your business requirements.

Keys to Effective Identity Management

A best-practices approach to creating an identity management strategy involves three basic elements, the first of which is strong identity lifecycle management. Having strong identity lifecycle management processes, including third parties and vendors, is critical for managing identity-related risk.

Well-defined joiner, mover and leaver (JML) processes — combined with identity analytics that enable more informed decisions during access request and access review processes — will simplify enforcement of a “least privilege” policy and mitigate other risks. These risks included orphaned accounts or terminated/dormant identities with active access.

Poor data quality is a significant barrier to identity and access management, as this data feeds directly into — and often triggers — your identity lifecycle management processes. So, the second necessary element is data quality regarding your identities and the systems and applications that need to be managed.

And, of utmost importance is having a full and correct list of all the identities within your organization. Without this, your JML processes will be ineffective, leading to decreased efficiency around joiners/movers getting the access they need and an increase in risk where movers/leavers retain access they should no longer have.

It’s also important that the data from your applications and systems be of high quality. Good data quality practices will deliver meaningful benefits. These benefits include automatic mapping of access back to the appropriate identities, improved end-user experience with user access requests and review processes and the ability to enforce granular control over your access.

The third element of this improved identity model is risk-based identity management. Good data quality will allow you to identify your personally identifiable information (PII), financially sensitive and privileged access/data, and the identities that can access it. Applying a risk score to this access and the related identities will allow the appropriate level of control to be applied. Higher risk will require more frequent review or multiple levels of approval.

Education is also essential for success, which undergirds these three elements across your entire organization.

Focus on Identity

The pandemic-induced accelerated digital transformation has seen new hybrid working models disrupting how identities are managed. As a result, being able to demonstrate that you know who the people are that are accessing your systems and data — and that the access they have is appropriate — has never been more critical.

By putting three basic elements in place at the foundation of a modernized IGA architecture, and then training your people appropriately, you will increase efficiency across key identity lifecycle processes and demonstrate control of your identity-related risk.

Let's Get
Started

Let us show you how Omada can enable your business.