For businesses, as well as individuals, the last 18 months have been like no other in living memory. But even with all that has been thrown at us, amongst the positive trends that has emerged from the pandemic has been the acceleration of digital transformation. The technologies that are component parts of this have long been heralded as potential game-changers – given their ability to boost business growth and promote efficiency – and are now seeing their rates of adoption explode.
This step change has created a powerful advantage for both organisations and employees alike, especially with the implementation of lasting hybrid working models and the increased accessibility of data. As well as this, however, it also brings into play a myriad of issues for cyber security teams, not least more opportunities for sophisticated malicious actors to successfully target employers. This is only set to worsen too as devices, apps and automation bots propagate even further across enterprises. Collectively, these make up a wider attack surface and potentially an easy target for cyber criminals looking to exploit poor cyber security practices.
With the pressure mounting on already busy IT and security teams, how then can they take control of the people, devices and technology within their digital ecosystems to keep cyber criminals at bay? The answer is that they need to act now, and aggressively, to mitigate risks and shoot identity security to the top of their security strategy. Here’s why:
Security is about more than people
Just like humans – whether employees, partners or customers – devices, apps and bots using a network also have associated identities and privileges that are ripe for exploitation. The level of access and privilege afforded to every identity needs to be carefully controlled and managed to ensure secure, authorised use of data and applications.
This has been the reality for some time, but when digital transformation succeeds, it is at a scale that compounds many of the security issues that already exist within an organisation. For example, for analytics driven by artificial intelligence (AI) to draw meaningful insights, massive amounts of data is needed. That requires connectivity and communication between the many different identities across applications, devices, people and bots, at scale, and almost instantly. If any of those identities are compromised, a malicious actor could enter an organisation’s network and use the privileges associated with that identity – whether it’s a human or not – to access what they should not be able to.
Identity gets a new look: examining the W3C Verifiable Credentials standard
Shifting your approach to deal with complexity
Managing this complex security environment is difficult, and it’s only set to get harder. As cyber criminals continue to innovate, organisations need to change the way they think about security – starting by taking a more aggressive approach to their security practices.
Perimeter-based security, where organisations only allow trusted parties with the right privileges to enter and leave doesn’t suit the modern digitalised, distributed environment of remote work and cloud applications. It’s just not possible to put a wall around a business that’s spread across multiple private and public clouds and on-premises locations.
This has led to the emergence of approaches like Zero-Trust – an approach built on the idea that organisations should not automatically trust anyone or anything – and the growth of identity security as a discipline, which incorporates Zero-Trust principles at the scale and complexity required by modern digital business.
Zero-Trust frameworks demand that anyone trying to access an organisation’s system is verified every time before granting access on a ‘least privilege’ basis, which is particularly useful in the context of the growing need to audit machine identities. Typically, they operate by collecting information about the user, endpoint, application, server, policies and all activities related to them and feeding it into a data pool which fuels machine learning (ML).
The benefit of such an approach is that it can automatically recognise unusual behaviours and unfamiliar machines, and immediately trigger the need for additional authentication. Such applications of ML are likely to form the future of how we secure identity, and are already greatly reducing the complexity of analysis required for access controls.
Stepping forward into a secure, identity-first future
Identity security is the most effective way to ensure access is under control, especially when it comes to the proliferation of emerging technologies. With the risks of breaches already high, IT teams must embrace a new identity-based approach to their security efforts, and deploy technologies such as AI and ML themselves to underpin these strategies so security acts as a digital transformation enabler. Doing so will allow them to concentrate their efforts on making sure the transition to digital drives value for the wider business, and encourages innovation, rather than being purely focused on keeping threat actors at bay.
