Future-Proof your Business with Identity-Centric Security
Creating and executing a truly identity-centric security strategy is more subjective than just “block” or “allow.” It takes a nuanced, subtle and proactive approach to be successful.
Imagine inviting guests to your house for an informal work meeting. You let them in with a cursory identity check at the front door but immediately tell them what rooms they are allowed into and what rooms they are not. The guests may be friends, employees, your boss or a third party brought in to do a presentation. Do they feel welcome?
As the meeting continues, you follow your guests from room to room, and tell them in an authoritarian tone that they can or can’t open that drawer, pick up that mug, use that knife or even scale those stairs. How is this experience making your guests feel? Do they want to be there, let alone stay? Do they want to participate in the meeting?
In another scenario, imagine explaining to your guests what will happen before they arrive. You already know who is coming. You can explain what they can expect upon arrival and outline the benefits of the boundaries you have set, whether it be the snacks and drinks or where you will conduct the meeting. When plans change and the third-party presenter needs a room different than the one you planned on, you can course-correct immediately because you already have Plan B mapped in your head.
Think of an identity-centric security strategy in the same terms as the guests you’ve invited to your home. The guests have their own rules based on what they need to do — when, where and how. Why do you care what each of your guests is doing? Let’s put it into perspective.
Across the 53K+ security events and 2,216 data breaches referenced in Verizon’s DBIR 2018, 17% had user errors as causal events. That is 9,000+ events and 377 breaches; 12% involved privilege misuse (6,300+ events and 266 breaches), and 28% involved internal actors. That’s a staggering 14,840 incidents and 620 breaches that occurred in one year due to people who had permission to be there (the guests in your home!). So, it turns out, your guests are a weak link in your security armour.
How, then, do you protect your business? Future-proofing can naturally take many guises because it depends on the appetite for preparing for the unknown. Everything from intense strategy sessions that aim to identify potential threats (internally and externally) to Artificial Intelligence (AI) and Machine Learning (ML) predicting and reacting can be involved. But there is a better way. And at the heart of that better, more strategic way is identity.
The foundation to future-proofing with identity at the forefront of your approach is rooted in preparation, knowing who your benevolent actors and malevolent actors are and also in implementing solutions that track these actors’ journeys. Where do they go? What do they do? And why are they doing it? All of those movements need to be accounted for. Go and no-go protocols, the questioning of anomalies, all whilst ensuring that business still gets done. Your Identity and Data Management (IDM) programme needs to enable activity quickly and securely as opposed to blocking activity that is crucial to your business.
If protective measures are not set with workforce buy-in and understanding, it won’t take long for them to be looked at with resentment (slowing down productivity) and with a negative instead of a positive lens. Explaining why the programme was necessary, and how it protects workers in addition to the network, goes a long way toward achieving compliance by personnel.
Being prepared for what the status quo is today and what that status quo will become tomorrow starts with a structured understanding of what an organisation truly looks like. To truly future-proof your business, you must have a view on what regions, teams, roles and individuals are doing and how they are delivering the company goals. From a standing start, this level of building out IDM is a huge task on its own. But, at scale, doing this retrospectively — after an organisation has thousands of employees across the world — is naturally prohibitive to executing an IDM strategy at all, let alone truly adding value in the long term.
Future-proofing your identity strategy needs to be iterative and constant and must include people, places, things, what, where and why at the centre. Your organisation changes. The individuals, roles, teams and regions evolve regularly. By beginning with a solid grasp of what the business is and what it aims to do, and aligning your identity strategy to organisational goals, you are positioning for growth and security. Just like dictating where your guests can and can’t go within your home, organisations must map out strategic experiences – both internally and externally.
Maximise the value of your identity programme and streamline operations in your business. Download our white paper to learn more.
Keith Povey is EMEA marketing director at Optiv Security. Read more Optiv blogs here.