Cloud computing and powerful portable devices have changed the way we work
The challenges of the past 18 months have shown just how powerful these innovations are.
But the shift to new ways of working goes hand in hand with increases in security threats and a riskier business climate. Organisations of all sizes need to view information security as a central pillar of their operations.
The cloud is no exception. Moving to the cloud can in fact improve security, as cloud providers can focus investment on protecting data. But CISOs need to build a consistent approach to cybersecurity, across on-premises, hybrid and cloud systems.
Digital technology, digital identity
Few businesses, if any, can operate without their applications and data. But this also gives criminals, state actors and hacktivists new ways to target business. Organisations rely on three pillars to protect their data: confidentiality, integrity and accessibility. Maintaining these is central to reducing risk to the business while ensuring correct access for employees and partners. Security needs to adapt to new ways of doing business and to changing threats.
Strong identity, governance and administration policies are a cornerstone of good security. Often, high-profile cybersecurity incidents, from ransomware to supply chain hacks, have exploited insufficient identity and access management processes.
Some of the highest-profile attacks on record were possible not because of an obscure, zero-day vulnerability exploited by a nation-state but because of something as simple as a compromised orphaned account which led to unauthorised access to a computer system, unauthorised privilege escalation or a lateral move from an insecure platform to a high-value system.
To protect against this, organisations need to know who has been granted access to systems and applications – and ensure that access is revoked when it is no longer needed. A strong IGA system helps here. It is not, though, the whole picture.
New risks, new threats
When the global pandemic drove the large-scale shift to remote working, remote workers became attractive targets to malicious hackers because they are outside the corporate firewall and, perhaps more importantly, away from the security culture that comes with working in the office.
The move to online office suites is just another area criminal hackers are exploiting, for example through fake authentication login dialogues. And attackers are turning to technologies like artificial intelligence and machine learning to break through existing security measures. AI-based attacks are designed to mimic human behaviour and to evolve over time. This “weaponised AI” could even exploit information in the public domain to learn how to target an organisation and bypass its defences.
Successfully defending against these attacks means looking again at identity and access management tools. Should multi-factor authentication be required earlier, and more often? Should access to networks be limited to company-owned devices, or should access be limited to certain business hours or geographies? Should access to critical systems and sensitive data be set to expire automatically, or only be granted on a task-by-task basis? These are key questions for both the CISO and for the business users they support.
Using identity to stay ahead of threats
Limiting access to systems reduces risks but comes at a cost. Set the bar too low, and the organisation is vulnerable; set it too high, and it can impact efficiency as well as security as users may turn to unauthorised systems, or “shadow IT”, to get their jobs done.
There are, though, ways to balance security, compliance and efficiency. More CISOs are looking to Zero Trust as a way to future-proof systems against emerging threats. But Zero Trust relies on robust identity systems.
There are other steps organisations can take, such as investing in automation for identity management. This will greatly reduce the overhead, and the friction to business users, of security measures like multi-factor authentication or time-limited access to critical systems.
This could include limiting access to specific devices, limiting access times during the day, and forcing multifactor authentication (MFA) based on behaviour.
In the past, attackers have focused on gaining access to high-level user or administrator accounts. However, businesses have taken measures to harden administrator accounts and educate their users in cybersecurity.
With the growth of the cloud and remote work, compromising knowledge workers has proven easier, yields access to valuable data and provides more attack targets. Additionally, knowledge workers are not as security-savvy as administrators. So, organisations need an identity governance and administration (IGA) system that can scale.
Investing in IAM for consistent automation makes security and access compliance easier and reduces routine administrative tasks. However, CISOs and boards today are looking beyond identity management. IGA is central to the conversation about security and governance.
Investing in IGA, and especially technologies that embrace cloud technologies, will protect identities, improve efficiencies and make it easier for employees to follow business processes. Done well, it helps align security to the business.
About the Author
As vice president of product strategy at Omada, Rod Simmons provides vision for where the IGA market is going and how Omada retains a leadership position. Rod works closely with the product teams and chief technology officer to define Omada’s vision and objectives to achieve the goals. As a 20-year industry veteran, he has a passion for innovation and software design, He has extensive experience in leading and designing cutting edge products and technologies. Prior to Omada, Rod spent time at Stealthbits, BeyondTrust, and Quest Software. During his tenures, he held the roles of vice president of product strategy, director of product management and director of solution architects, respectively.
Featured image: ©BillionPhotos