This is our second guest blog post from Mark Child, Research Manager for IDC’s European Security Group. You will find our first post here.
Risk Management Through Identity
In IDC’s 2019 European Security Survey, we asked 700 European CISOs where their organisations expect business value from security. The clear number one – cited by 45% of respondents – was optimised risk management. The survey also asked respondents to prioritise their security concerns: managing users, identities and access was number two, behind only security culture and awareness (a broad and ubiquitous thread that runs through all security discussions).
So how can identity management solutions help address security concerns and deliver the value the business wants? In the bigger picture, identity is intrinsically linked to risk, and managing it serves to help organisations manage their risk. For starters, authentication is the first step to determining access rights. Applying authentication and access controls to enterprise data is key to ensuring data privacy, a fundamental consideration for digital strategy and compliance risk, particularly in the GDPR era. Aside from penalties from the regulator, suffering a breach that compromises systems and data will also have an operational and reputational impact. Stringent authentication and granular access controls can mitigate damage and data leakage, even in cases where an attacker succeeds in penetrating the network.
Any identity strategy needs the board on board, which means the security team needs to provide KPIs and metrics that management can understand. According to IDC’s data, three of the top seven security KPIs are risk-focused: value of assets at risk, partner risk score, and value of risk mitigated. These risk metrics help the security team to quantify the value of identity and digital trust (IDT) investments in delivering ROI to the business. An understanding of the implications of not taking action will drive a more proactive approach to embedding identity and access controls throughout the infrastructure. This will also drive discussions around security policy and governance, such as the importance of applying best practices and good security hygiene, two areas that should be an intrinsic part of any identity strategy and indeed any DX strategy.
Identity and the Digital Platform
Did you hear the one about the company without a digital transformation (DX) strategy? No, me neither. What about the company that didn’t factor security into its DX strategy…? Right, now we’re talking. According to IDC research, digital transformation is a strategic priority for 90% of European organisations. For those companies, that means the adoption of an enterprise-wide digital platform through which they collect, process, analyse, and circulate data to inform decisions, generate IP, and develop digital products and services to deliver to their customers.
Wait, have we got one of those?
Don’t panic. Most organisations already have: as you are building out ecosystems to foster beneficial engagements with your partners and suppliers or integrating your IT and OT to develop predictive maintenance capabilities, you are already developing your digital platform. The figure below is a conceptual model of how this works. So where does identity come into it?
Figure: The IDC Digital Platform
Look at the model again: valuable data and assets permeate throughout, from the IP developed and refined in the intelligent core to the customer and market data collected and analysed from enterprise and ecosystem engagements. The digital platform must be secured to protect those assets. Identity constitutes one of the fundamental pillars through which organisations can achieve that.
A New Perimeter
In the DX era, as organisations adopt cloud and mobile technologies and build out digital supply chains and ecosystems, the traditional secure perimeter that protected the organisation’s digital assets has been rendered obsolete. Identity is the only remaining constant in this new paradigm and is a means to apply a new control plane to secure those assets.
All user identities need to be verified through appropriate authentication mechanisms, access should (or should not) be granted depending on context, roles and permissions set according to the user and the asset, and the authentication session lifecycle managed. At a recent CISO forum I attended the CISOs were asked for their top three security wish-list items that they would like to implement. “MFA everywhere” was cited by almost everyone. That may not be practical or feasible across the entire organisation and its customers and partners, but the sentiment is clear: only by stringently authenticating identities for all processes and transactions can we gain the desired control and security we need for our business.
In addition to authentication, identity lifecycles also need to be managed. A recurring issue in the identity space is managing or terminating credentials when a user changes their role or leaves the organisation, so-called ‘movers’ and ‘leavers’. Identity management solutions address this challenge, governing the whole identity lifecycle, from enrollment through ongoing management to decommissioning. This limits what is a key target for threat actors – those defunct but still open credentials. Identity controls can also be a means to identify and address insider threat, using behavioural analytics to detect malicious activity and triggering additional verification requirements or freezing access.
Identity Becomes Business-Critical
It’s clear from the above that identity has become business-critical in the digital era. Multi-factor authentication, identity lifecycle management, single sign-on, federated access, role-based access, contextual controls: all these solutions and processes can enable organisations to harness identity as the new control plane. It’s up to each organisation to assess which they need to apply and where, based on their risk appetite and risk assessments. The adoption of an identity platform – a fully integrated suite of identity and access management tools – provides an effective and efficient means to deploy and apply the requisite tools and controls where and when they are needed. Fundamentally, this allows organisations to appropriate identity to serve as their new secure perimeter.
It’s up to each organisation to reassess their existing identity and access management estate: are there legacy tools that have become inefficient or are no longer fit for purpose as the architecture has evolved? Are there point products that do not integrate well with new infrastructure? Would an investment in a modern IDT solution deliver a richer set of functions and capabilities that would bring greater value to the business? The IDT market has seen dramatic evolution in recent years: organisations now have the opportunity to reap the benefits of that development.