The Importance of Identity Management in Security

It’s ever more challenging in today’s work-from-anywhere world to prevent cybersecurity breaches. And while all organizations work hard to prevent attacks through traditional security measures such as multi-factor authentication, patching, training, and more, the bad guys increasingly find their way in through poorly thought-out, scattered access and identity management practices. The solution, we’ve seen in discussions during CIO roundtables, seminars, and dinners, is to adopt a privileged access identity management approach. 

When you have an improperly managed access and identity process and technology, you might as well hang a sign outside the door: “Come On In”. And once a bad actor hijacks someone’s (or something’s) real identity to enter, they can use that access to move north-south, east-west across networks to steal, manipulate, or hold hostage data, sensitive information, and critical business applications. They can falsely approach vendors, partners, customers, and consumers. In the process, risk levels increase, reputation plummets and operational efficiency is severely compromised. 

Privileged access management (PAM) should define the set of rights you give to every single contractor, employee, partner, and vendor. A well-implemented PAM program helps protect organizations against cyberthreats by monitoring, detecting, and auditing unauthorized privileged access to critical resources. 

But PAM should not be implemented willy-nilly on some resources, platforms, users, or types of devices – and not others. Enterprises should adopt holistic, integrated solutions that provide your enterprise with the visibility to discover, on-board, manage, and audit any user or device by role, function, persona, time, or location. 

PAM takes many forms. Some companies prefer to give access to individual PCs, tablets, and mobile phones. But the per-device privilege is a red herring. What if the device is stolen and hacked by a nefarious actor – or even used incorrectly by a coworker? 

A better approach is to manage access by name, function, role, assignment, or persona. It’s critical, also, to place time-based, or geographic-based parameters on identity and access. For example, I may be working on a project for 10 days. Or, I’m temporarily filling in for my boss and her other management responsibilities. Or, I’m a financial analyst with access to sales and fulfillment data, but only for my investment company’s upper Midwest region. 

That said, there are three complicating factors beyond human identity that can make access to IT systems risky. The first relates to today’s lack of perimeter. Does the data and process reside or occur at the core, in the cloud, or at the edge? Should one restaurant manager have access to the neighboring restaurant’s data, even if they’re in the same company? When should a developer access data on-premises or in the public cloud? 

The second consideration is identity for IoT devices. Indeed, in the first half of 2023, IoT DDoS attacks surged by 300%, causing a $2.5 billion global financial loss, according to some sources. From Target to household appliances to St. Jude Medical, too many breaches use non-compute devices with IP addresses as a gateway into enterprise resources. Holistic identity management should cover not only people and devices but also the IoT systems that support a company. 

Then there’s the matter of OT and manufacturing systems which may or may not be connected in some way to ordering, fulfillment, sales, marketing, financial reporting, and regulatory systems. The factory is an edge location, even if most (or many) of its processes appear to be independent of business systems. Think of the dual identities needed in terms of production and business for mining, agriculture, oil and gas, transportation, hospitality, retail, and logistics, as well as policing and the military. 

Ideally, IT and security managers should control access from a single console. Integrated identity management should have a set of rules for the user (role, persona), device (PC, IoT), platform (cloud, edge OT), location (geographic or, again, platform), and time (one action, one day, etc). 

Automating the process will help. If I’m given assignment X for Y time; shouldn’t the system provide access – and take it away – once the project or timeframe is complete? 

Of course, there’s the issue of artificial intelligence. Indeed, AI can help organizations implement adaptive authentication strategies. AI can analyze contextual factors, such as location, device, and behavior, to determine the level of authentication needed. Moreover, generative AI can be employed to build anomaly detection models. (We’re still waiting for the flip side of this: an AI-assisted attack.) 

Many companies are beginning to use biometrics, like retinal scans, facial recognition systems, and fingerprints, to help qualify and meter access. 

PAM is an evolving field and should be viewed in the context of your overall Zero Trust architecture, consideration of Identity-as-a-Service (IaaS), and AI / ML. Nefarious actors are not going away, but the enterprise can use privileged access to help guard valuable business assets.