Identity: The decision point
Perimeter-based security models built to keep attackers out won’t work when 60% of breaches now involve valid credentials. As my colleague Andy Thompson says, “It’s much easier to log in than hack in.”Every entity (human or non-human) accessing a resource (applications, data or other entities) requires an identity. That’s why identities are so valuable. Attackers can target them instead of sniffing out vulnerabilities or deploying malware to exfiltrate sensitive data”, tactics that take time and effort. With valid credentials linked to a human or machine identity, attackers can slip in, bypass security controls and operate undetected”, sometimes for extended periods”, without anyone knowing.In more good news for the bad guys, identities are everywhere. The average staff member has more than 30 digital identities, and the total of non-human (or machine) identities outnumbers human identities by as much as 45-to-1. That number keeps growing: the average organization expects identities to surge by 3x in the next 12 months. Given this, it’s unsurprising that 93% of organizations have experienced at least two identity-related breaches.This data helps explain why identity has replaced the perimeter and become the only common decision point from which to evaluate risk and apply dynamic security controls. It also shows why protecting identities is now a core cybersecurity priority.
Identity security: A business enabler
Mature organizations understand that structured processes enable automation, which is key to securing identities. For example, HR can automatically create digital identities for new employees, ensuring they receive only the minimum necessary permissions for their role through the use of lifecycle management within identity governance.This automated identity lifecycle is governed by identity security control planes, which ensure that access requests, privilege escalations and governance are managed securely.Unlike process-heavy IAM systems of the past, identity security serves as a business enabler by optimizing workflows, decreasing friction and minimizing disruptions. CISOs can effectively communicate identity security’s value to stakeholders and align security efforts with business goals by understanding these identity-related controls organized into three pillars.
The three core pillars of identity security
1. Privilege controlsExcessive privileges are a top target for cyberattacks and a major cause of security breaches. An effective zero trust approach encompasses four key privilege controls that, together, reduce operational risks associated with unauthorized privileged access:
Least privilege access ensuring accounts only have the permissions they need.Secrets management securing credentials and API keys.Just-in-time (JIT) access granting elevated access only when necessary.Zero standing privileges (ZSP) eliminating persistent admin rights.2. Access managementManaging and securing access in a decentralized IT environment requires a complementary set of controls, including:
Adaptive authentication dynamically adjusting access controls based on risk.Single sign-on (SSO) improving user experience and reducing attack surfaces.Multi-factor authentication (MFA) adding extra layers of security beyond passwords.3. Identity governanceIdentity governance is all about ensuring visibility, compliance and overall risk reduction by:
Defining who has access to what, when, and why.Automating access reviews and certification processes.Implementing role-based and attribute-based access controls (RBAC and ABAC).Together, these comprise a holistic identity security architecture. It shifts cybersecurity away from outdated perimeter-based controls toward dynamic, scalable and risk-adaptive access. With this as a foundation, organizations can be consistent about security across all entities (users, devices, applications, and services), make real time risk assessments so they can detect and respond to threats as they emerge, and continuously verify identities and access permissions to enforce zero trust.
Prioritizing identity security: A CISO’s roadmap
Of course, implementing these identity controls isn’t something that happens overnight. It’s a journey. The best way to maximize business resilience is to create and then follow a high-level roadmap for orchestrating identity security controls.Having a roadmap in place is not just crucial for goal setting and business justification; it’s also essential for identifying dependencies to ensure that controls work together in harmony. A structured identity-first strategy keeps the big picture in focus. Instead of constantly fighting fires and making tactical fixes, teams can concentrate on building a sustainable, outcome-based security program.AI-driven threats are evolving faster than ever before. The vast majority of CISOs have embraced Zero Trust as a philosophy, and as part of that, they approach security as if their organizations have already been breached. With continuous and adaptive identity security, it doesn’t matter whether the attacker is inside or outside. What matters is that they will be stopped in time and shut down before it’s too late. This advantage deserves every CISO’s full attention.Download “The Identity Security Imperative” for insights on how to implement identity security using practical and proven strategies to stay ahead of advanced and emerging threats.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3951888/how-cisos-can-use-identity-to-advance-zero-trust.html
