Identity-based security solutions support the zero-trust model and address evolving threat landscape.
Remote and hybrid work arrangements have become commonplace, with people across the globe now using a mixture of personal and company-owned devices to access data and applications from the corporate data center, public clouds, private clouds and the open Internet. These practices produce undeniable productivity benefits, but they also erode the traditional network perimeter and create openings for a variety of sophisticated and stealthy cyber threats.
Preventing unauthorized remote access to network resources has become a significant challenge for companies supporting large numbers of remote employees. Cybercriminals today no longer have to hack into systems — they are far more likely to log in using stolen or compromised credentials. According to a new IDC global study, 83 percent of organizations that have suffered a security breach believe it resulted from a compromised password or an identity compromise such as phishing.
Such results highlight the need to augment conventional perimeter defenses with identity-based security measures that ensure all users, devices and applications are properly identified and authorized before accessing the network.
“Identity and access controls are core components for addressing many future-of-work imperatives,” said Mark Child, research manager at IDC. “It’s imperative that organizations put in place a universal and user-friendly solution to enable all their employees to securely access the tools they need to do their jobs, regardless of where that may be.”
Access Restrictions
Identity and access management (IAM) and privileged access management (PAM) solutions are essential components of identity-based security. They provide a framework for verifying user identities and defining and managing security policies based upon the network access needs of specific users and groups.
IAM solutions integrate a variety of tools such as multifactor authentication, user provisioning, password management and single sign-on into a comprehensive platform. Even after verification, users, devices and apps gain only conditional access — all activity is continually inspected and evaluated to guard against deviations from defined policies. In addition to preventing intentional or accidental data exposure, least-privilege restrictions can help contain malware and prevent it from spreading through the network.
PAM solutions go further, providing control of administrator-level access to IT resources. This is absolutely critical because administrators and other high-level IT staff have access privileges for servers, security systems, network devices, databases, applications and other resources. With privileged account credentials, hackers could potentially take full control of an organization’s IT infrastructure, disable its security controls, steal confidential information, commit financial fraud and disrupt operations.
Identity governance solutions are typically deployed on top of IAM and PAM solutions to orchestrate a variety of management processes and policies. Through a user-friendly interface, administrators can define, review and enforce access policies, audit user access, and map policies to compliance requirements. Integrated analytics help administrators identify risks, pinpoint the origin of the risk and suspend compromised credentials when necessary.
Trust No One
Together, IAM, PAM and identity governance solutions support least-privilege access principles that ensure users can only access the data and systems necessary for their jobs. That’s a baseline requirement for establishing a “zero trust” security model.
Unlike the traditional “trust, but verify” approach to perimeter security, zero trust encourages a “never trust; always verify” style. It is a system-wide strategy that assumes every user and device accessing network resources is a threat until their identities have been verified. The process doesn’t end there. A variety of inspection techniques, including event correlation and anomaly detection, are used to continually evaluate all network traffic.
The zero-trust approach effectively makes identity the new perimeter. By requiring every user, device, server and business process to establish a unique identity, and by creating specific access limits for every identity, it becomes exponentially more difficult for attackers to gain unrestrained access to data and systems.
The U.S. federal government is committed to the zero-trust approach, issuing a memorandum in January that mandates agencies adopt a zero-trust architecture by the end of 2024. The mandate specifically calls for stronger IAM controls as part of the strategy. “Without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks,” the memorandum noted.
