The Convergence of Identity and Risk
In a post-COVID, post-perimeter world, identity has become the first line of defense
No single catalyzing event in recent history has had such an immediate and profound impact on Enterprise IT as the COVID-19 pandemic. In the early Spring of 2020, organizations all over the world shuttered their offices and sent their workers home as the virus swept across the globe. For many businesses, the sudden need to support a remote workforce required them to perform several years’ worth of digital transformation in a matter of weeks.
One year later, many workers have still not returned to the office, and some never will. Even before the pandemic, several trends were having a transformative impact on how IT executives were beginning to think about identity & access management (IAM). The proliferation of cloud services, bots, smart devices, and microservices were already requiring security architects to adopt a more risk-based approach to IAM. But COVID and the more recent SolarWinds breach have accelerated the urgency of this transformation.
Traditional approaches to IAM, which reflect an era when devices were centrally managed and business applications resided behind the enterprise firewall, are becoming increasingly anachronistic. In a post-COVID, post-perimeter world, identity has become the first line of defense. The inevitable result of this trend will be the convergence of identity and risk.
It is no longer sufficient merely to conduct periodic reviews of statically assigned privileges to ensure that users haven’t been granted more access than they need. While user access reviews are generally adequate to meet the minimum requirements of audit and compliance mandates, they have become an ineffective means of evaluating the inherent risk associated with user access.
For the modern enterprise, risk mitigation requires more than simply knowing what a user has access to. It is equally critical to know what they are doing with that access. For instance, what types of transactions are they performing? What is the sensitivity level of the data they have accessed? What device are they using, and from what location? Are they exhibiting anomalous behaviors that may be indicative of malicious activity? And, most importantly, are they even who they claim to be?
Quantifying the risks associated with employee access is difficult enough. But there is at least some level of assurance provided by the screening and background checks that constitute part of the employee hiring process. The risks posed by non-employees like contractors, partners, vendors and freelancers, on the other hand, are significantly higher.
In many organizations, non-employee identities are unmanaged by enterprise IAM processes and controls, since traditional identity solutions have focused solely on employee populations and used HR system data to make access decisions.., However, there is often no authoritative source to drive the identity lifecycle or the risk assessment for non-employees. These gaps mean that it is not unusual for non-employee identities to be overprovisioned, difficult to audit, and to remain active for several years after a user’s termination.
Another important characteristic of non-employees is that they aren’t limited to just contractors, vendors and B2B users. The increasing adoption of microservices, RPA, and zero trust architectures require non-human worker identities, such as those used by devices and bots, to be managed with the same rigor as human-owned identities.
Considering that according to a Ponemon study, 59% of all breaches are linked to a third party and often involve the misuse of non-employee identities, implementing risk-based controls to manage the lifecycle of non-employee identities is now even more critical than it is for employees.
Conventional IAM architectures have relied primarily on the ability to authenticate user credentials to a directory store and grant fine-grained access to business applications on the basis of statically assigned privileges, regardless of any inherent risk posed by a user. This model no longer reflects an IT landscape in which a mobile workforce can use unmanaged smart devices from anywhere in the world to access sensitive data in cloud-hosted business applications.
The next wave of IAM solutions need the ability to evaluate inherent and contextual risk when granting access to sensitive data and applications. This will require organizations to devise risk frameworks that incorporate factors such as activity, behavioral analytics, device, geolocation, data sensitivity and identity proofing into their existing access policies. It will also require, at a minimum, a heightened focus on mitigating the risks posed by non-employee access.
The adoption of risk-based IAM will not be easy or quick. For most companies, it will be a transformative, multi-year journey. But in today’s IT landscape, identity and risk can no longer be considered autonomous of each other. There is no greater example of that synergy than the risks that are being exposed every day by organizations that have been breached because of their failure to effectively manage non-employee access.