Skip links

Bringing security to account: why identity must be unified

Sponsored Feature Many organizations are suffering from an identity crisis. Not in the psychological sense, nor in respect to their branding or culture. But in how their IT systems enable employees to access the applications and data they need for work.

Managing that access across a workforce is typically controlled by Identity and Access Management – IAM – tools. These are frameworks of security policies and technologies that enable specified users to have the appropriate access to designated technological resources – and stop malicious intruders from having same.

Many cyber attacks start with a misappropriated user identity – according to Verizon’s 2022 Data Breach Investigations Report (DBIR), 82 percent of breaches involve a human element such as stolen credentials, phishing, misuse or error. Yet IAM’s integral importance to the security mission is often marginalized. What’s more, what may be legacy, obsolete or not fit-for-scope, ‘gappy’ IAM solutions that incorporate features which are rarely, if ever, used offer breach opportunities for hackers using permissions associated with hijacked user IDs to compromise data and system integrity.

As an IT security discipline, IAM encompasses a range of foundational administrative activities. Briefly put, identity management focuses on account lifecycle management (joiners-leavers-movers), matching roles, rights and access in an organization (HR gets access to payroll data, admins get access to server config, and RPAs don’t get pay checks). While access management confirms that an accessing user is who they state they are by scrutinizing the info presented in the access request against an identity management database. Access management also uses the information regarding users’ identity to determine which resources they’re permitted to access, and also which actions can be applied to those resources.

Call for IAM reinforcement

Arguably, IAM’s importance has been somewhat overshadowed by security solutions that function further out on the enterprise infrastructure. Emergent market forces are, however, swinging back the security pendulum to the identity, causing approaches to IAM implementation to be reinforced.

Inadequate IAM is a problem that’s being highlighted by the necessity for organizations of all sizes and sectors to have cyber risk insurance. Cyber insurance is increasingly required for a range of reasons, such as a mandate of business or internal governance requirement.

Cyber insurers and their brokers undertake stringent risk assessments of a would-be insured organization’s cyber posture before they consider providing cover; it will also be a factor in determining the price at which the premiums are set. Insurers and brokers will now routinely require deficient IAM to be upgraded before a cyber insurance application is considered, reports Darren Thomson, VP, Product Marketing at One Identity.

“To an extent, in many organizations, IAM has been relegated to a lower rank of traditional (perceived trailing edge) enterprise cybersecurity domains,” says Thomson. “It has tended to be overshadowed by more high-profile components in an IT security ecosystem. IAM doesn’t headline general conference sessions like edge security or AI threat intelligence might do.” 

IAM’s elevation as an integral part of frontline cyber defense started before the COVID pandemic, when the exigencies of remote working took enterprise security perimeters way beyond the premises boundary.

“The physical security boundary has always had elasticity due to the need to support mobile devices,” says Thomson, “but in the situation we have now, where a much higher proportion of employees are customarily working far away from their former workplaces, the traditional defensive line has lost relevance. This has elevated the importance of IAM up the enterprise security agenda – identity is the new perimeter edge.”

Ten steps your organization can take to implement policy-friendly cybersecurity protection – and clinch that vital cyber insurance cover:

1. Backup business data regularly using secure external resource or cloud service.

2. Ensure employees receive cybersecurity awareness training and are briefed and periodically tested on an employer’s IT security policy.

3. Implement endpoint detection and response and managed detection and response tools able to recognize and shut-down high-risk or unusual behaviors.

4. Protect ‘endpoint devices’ (definitions vary – try desktop computers, laptops and smartphones) with up-to-date antivirus/antimalware and endpoint privilege management software that’s also checked to ensure it is properly configured.

5. Protect enterprise networks using a firewall (hardware or software).

6. Implement enterprise-grade centralized patch management to ensure critical updates are installed to schedule.

7. Liaise and share intelligence with supply chain and business partners to extend risk visibility.

8. Secure privileged user accounts with multifactor authentication.

9. Actively manage user accounts and permissions using holistic IAM/PAM solutions, and audit accounts and directories on a routine basis.

10. Identify and manage vulnerabilities through vulnerability scanning tools and/or penetration tests, and prioritize remediation according to criticality criteria. This practice should extend to public-facing websites.

Beyond the bulging security perimeter

This redefinition of the security perimeter is also bringing challenges. Foremost among these is that it has highlighted deficiencies in the way many organizations have been provisioning their IAM needs, often deployed piecemeal over time.

“A lot of organizations we speak to have secured management of identity and access as separate requirements.” Thomson explains. As a result, different vendor solutions run alongside IAM and take care of concomitant tasks – most commonly Privileged Access Management (PAM), Active Directory Management, and Identity Governance & Administration.”

The drawbacks of this approach are that, first, multiple directories are siloed in each solution, and are unlikely to interoperate with each other, says Thomson. “Added to this, each separate solution has its own method of management, so IT teams get bogged down in iterative administrative tasks that rely on different sets of controls. Apart from wasting resources, this can have a knock-on effect on inhouse security talent that undermines skills retention.”

A further concern with the multivendor approach to IAM is that running separated solutions leaves security gaps that savvy cyber threats will find and exploit. “There are hackers out there who are fully aware of the vulnerabilities that might exist in multivendor IAM/PAM environments,” warns Thomson. “They find them, and they will exploit them.”

To close these gaps, organizations can transition to a fully unified approach to IAM, Thomson points out. It’s a move that will also equip them with the latest tools needed to manage networks used by proliferating numbers of people and devices.

“Consider that in many enterprises identity numbers increase on a daily/weekly basis,” says Thomson. “An enterprise-grade IAM now has to be able to manage all types of identities from a single holistic platform, otherwise it’s back to the pitfalls of fragmented management.”

Thomson continues: “Unifying distinct processes and correlating all identities – human and machine – means security teams can gain 360-degree visibility and verification before granting anyone – or any – access to a critical system. And it accelerates the modification or removal of permissions process, reducing the admin overhead.”

Another compelling reason for unified visibility is the ability to remediate the welter of legacy IAM issues left across separated systems, Thomson says.

“The overall task of administering identity and access has scaled up,” reports Thomson. “Organizations now have more users who need to have their access privileges updated much more often than used to be the case, especially as enterprises adopt a more project-led approach to business generation.

“Added to this we now have relatively high rates of ‘identity churn’, both in terms of permanent personnel and contractors. Security teams cannot always keep up – they may have more pressing tasks to attend to, and so identity management slips behind – and with it, access management.”

One risky result of this is dormant accounts that belonged to users who no longer need to use them or who have left the organization altogether, but continue to exist on the system – often down to poor management of the leaving process.

“User accounts that have been dormant may seem a non-issue, but they are in fact a substantial risk to businesses that have them,” Thomson explains. “With these we have named accounts, or user profiles, that might have inbuilt access to very privileged information. Often those privileges are accorded to an identity for a one-off purpose or project, and when that has been completed – or the account name is no longer employed – those privileges are not removed. Dormant accounts can prove pure gold for hackers who succeed in gaining access to them.”

Insurers raising the risk cover stakes

The growing importance of identity is a driving reason why the world of cyber risk insurance is taking a close interest in IAM. Post-pandemic, the cyber insurance market has started to renew its volition as insurers realize that requiring potential insureds to improve their cybersecurity posture as a condition of policy was the way to reboot market potential.

Premiums are mostly higher than they were in 2020 – but then the likely all-round losses from a successful cyber attack have gotten even higher. In this respect the need for insurance now plays a transformative role in bettering security beyond its core function of risk transfer, as Swiss Re Institute has pointed out.

As well as creating financial incentives to improve security and mitigate vulnerabilities before the policy period, cyber insurance adds value to the risk management process by pricing specific risks: this provides a financial reference for framing decisions.

Increasingly, reports Thomson, insurers and brokers are zeroing in on IAM rigor as a core prerequisite for policy award eligibility. “Over the last two years the insurance industry has been on a steep learning curve regarding its knowledge of cybersecurity,” Thomson reports. “It’s clearly determined what it now deems as the viable ‘table stakes’ in regard to cyber underwriting – closely tied to what it accepts as non-negotiable levels of cybersecurity resilience within any organization that wants to be covered.”

Thomson adds: “We have clients who come to us and say that they cannot get a cyber insurance policy underwritten without the implementation of our IAM and PAM solution. Increasingly IAM is front-and-center of the areas insurance assessors scrutinize. And they know what they are talking about when it comes to the tech – and have been smart enough to realize that in order to stay properly informed, they should talk to security technology market leaders.”

As a result One Identity liaises with the cyber insurance industry, and is investigating ways in which it can work more directly with cyber insurance brokers who need tools to conduct security assessments.

“The influence of cyber insurance is already marked, and has persuaded many organizations that well-informed investment in IAM and associated products really is their best strategy for mitigating their exposure to the latest bad actors.” Thomson concludes.

Sponsored by One Identity.