The latest explosion of ransomware, technical vulnerability exploits, and other cybersecurity-related attacks makes it impossible to ignore the exponentially rising risk in our technology environment.
We have long established that threat actors are well-funded, highly skilled, and operate with a multitude of motives. But the latest news has significantly tipped the scales. Between nation-state funded attacks, financially motivated criminals, those seeking to inflict damage for a social cause, or simply to cause business disruption, there’s no shortage of threats.
The ongoing pandemic has given rise to unprecedented change with how we conduct business. It has affected how we interact with employees, engage with customers, and manage vendor relationships. The perimeter disappeared long ago, and we have identified a new first line of defense: The Individual. The individual and their credentials are the center of this stormy cyber equation. Who they are, what they access, when they access it, where they access it from, and finally, on which device it gets stored. Identity has become the first and primary line of defense.
Let’s process 2020: We had a global pandemic, work-from-home/quarantine orders, economic, political and world power shifts, and social unrest, especially in the United States where racial tensions and threats from extremists boiled over. These trends are the recipe for increased vulnerabilities, and potential turbulence on every possible front.
Given this backdrop, how can security teams successfully navigate the months and years ahead? Start by understanding that effective security revolves around the managing user identities as they move from place to place and device to device. Here are five points to keep in mind when creating your identity and access management (IAM) program:
- Develop a strategy.
Define what the organization needs to protect and how the security team will protect it. Start with a discussion around the company’s goals for cyber defense and identity management. While it sounds basic, few execute this critical step. Companies must determine what to protect, and the lengths they will go to keep that data protected. Write down an accurate description of where those informational assets reside and where they can travel. For information that supports the company’s revenue generating operations, build multiple layers of defense around it. Establish and document the ISO-OSI 7 Layers of Cybersecurity to defend mission critical assets and activities: protect company data, applications, endpoints, networks, the perimeter, and to specific individuals.
- Restrict access to high-value information.
In theory, anyone (or anything) the company issues credentials to becomes a protector of the organization’s interests. Once an administrator creates an account, someone has validated that the user has sufficient access and that he or she operates in the best interest of the organization. But organizations are littered with stories of lost USB devices, stolen, or misused credentials. All of these derive from the distribution of the credentials in the first place. Verify and recertify who has access to what and why. Only give users enough access to do their jobs.
- Leverage the right technology.
Automate the distribution, approval, recertification, and provisioning actions of identities. Automated systems track the distribution of account access, which builds in accountability. Each additional account distributes the risk across the organization both internally and externally. Ultimately, the chain flows from the individual acting appropriately, the manager reviewing and escalating concerns accordingly, senior management guiding effectively, and operations monitoring efficiently. Any break in the chain will compromise credentials, giving bad actors the keys to the kingdom. This will result in lost productivity, revenue, and credibility, business disruption, theft, and costly litigation.
- Develop an incident response plan.
Every organization can and will eventually get attacked. Create a plan that will let the organization maintain continuous operations, deploy countermeasures, distribute communication, and execute remediation plans. Companies must prepare for how to respond swiftly and transparently to an incident. Ensure that the company has an active plan immediately engaging the response team and coordinating triage including establishing the response lead, neutralizing the threat, including investigation/forensic, evaluation/containment and/or recovery, remediation, and deploying the communication plan throughout.
- Embrace identity management as a lifestyle.
The critical component of this process isn’t adoption as a static program, but a continuous and active investment in the evolution of cyber defense and identity. The company’s ongoing monitoring and rapid response practices should evolve daily with the rapid pace of the threat landscape. Continued investment, advocacy, and support for users as the stewards or guardians of the organization’s most valuable assets will continue to keep it protected.
As the face of identity continues to morph, our vigilance as a collaborative community of practitioners must evolve exponentially faster. Identity governance and the protection of the company’s most valuable assets are critical to defending the new invisible perimeter. Do you trust who holds the keys?
Johanna Baum, founder and CEO, S3 Consulting