Identity security: Cornerstone of effective Zero Trust strategy

Chern-Yue Boey June 22, 2022 11:34

In today’s modern enterprise, perimeter-based security is no longer sufficient given key security challenges including an increase in the number of remote workers and non-employee workers, and the steady migration of applications and workloads to diverse cloud and hybrid infrastructures.

According to a recent Forrester report, as the workforce is being augmented by nonhuman entities such as robotic process automation, physical robots and IoT systems, it is more important today than ever to ensure strong identity and access management practices to secure these identities.

As cybercriminals continue to gain entry into company systems by hacking user accounts, enterprises are shifting their focus to protect identities such as employees, partners, vendors and non-human bots in their company by providing only the required access to the right identities. This is why identity security has to be at the core of a zero trust security architecture.

Zero Trust security is based on the notion of “never trust, always verify”, which means that no user, device, resources or application should be trusted until their identity has been verified. When all network traffic by default is untrusted, the only viable security strategy is one built on identity.

According to our recent report conducted by Dimensional Research, which surveyed 315 security and IT professionals globally on their company’s security and identity practices, and zero trust model adoption, we found that anywhere operations, increased cloud use, and growing security attacks are leading 92% of companies to incorporate a zero trust security model, as it is expected to deliver improved visibility, earlier threat detection, fewer incidents, and improved remediation.
Of those surveyed, nearly all (97%) agree identity is a foundational component of a zero trust security model, but a lack of expertise is the key reason preventing enterprises from adopting zero trust.
As organizations need zero trust expertise and solutions that integrate more easily, what should they be looking out for in an identity security solution?
A comprehensive identity security solution will empower organizations to automate the identity lifecycle, manage the integrity of identity attributes, enforce privilege based on roles in the organization, and leverage advanced technologies such as artificial intelligence and machine learning to govern and respond to access risks.

A strong identity security program will also enable organizations to manage and govern access for all types of digital identities, to establish a zero trust framework that is able to systematically adapt and respond to ongoing changes across the organization and threat landscape. The key principles include:

Never trust, always verify: Enable accurate access decisions to be driven with contextual, updated identity data. With this approach, enterprises need to have complete visibility of all user types and their related access, including all permissions, entitlements, attributes and roles. It is also vital to have a single source of truth by creating clean, accurate identity records that all decisions are based on, and keep identity data updated with automated identity lifecycle management.

Deliver just enough, timely access: Enforce least privilege using roles and complex policy logic. Organizations can grant just-enough access using roles, fine-grained entitlements, permissions and dynamic rules. With access automation, as new users are created or roles change, access can be automatically granted and updated based on access policy. Unused access and dormant accounts can also be automatically de-provisioned to reduce risk exposure, while detecting and preventing toxic access combinations can avoid potential fraud or theft.

Continuously monitor, analyze and adapt: Keep security up-to-date and dynamically respond as changes happen and threats are detected. Through AI-driven insights, organizations can get deep visibility and understanding of all user access, including trends, roles, outliers and relationships. By measuring the efficacy of access controls for apps, data and cloud resources, enterprises can ensure that permissions comply with policies, while monitoring risk signals from the digital ecosystem and communicating with the zero trust gateway ensures real-time enforcement of security policies. Finally, by taking advantage of custom workflows and APIs, organizations can automate their identity security program across other cybersecurity and access systems.

In order to make better identity decisions, enterprises need tools that leverage artificial intelligence and machine learning to automate the discovery, management, and governance of all user access across hybrid and multi-cloud environments, remote work, and multiple devices.

With AI and ML, enterprises can get intelligence and insights into access privileges, abnormal entitlements and potential risks so they can easily control access throughout a user’s lifecycle, automate IT tasks, mitigate threats and empower their workforce.

-- Contact us at [email protected]

Chern-Yue Boey

Senior Vice President, Asia-Pacific, SailPoint