The case for an identity-centric security strategy

You wouldn’t hand an intern a physical copy of confidential financial documents…

You wouldn’t give an external contractor a key to every room in the building…

You wouldn’t grant a past employee access to your new business insights…

Why is it then that so many organisations keep doing all the above?

Right now, we live and work in a new threat landscape that comes with new weaknesses, one where the idea that confidential information can be secured through a security perimeter is no longer valid.

Nowadays companies must look to secure and manage access for the individual, not just the network, through identity-centric security strategies.

As entire teams transition away from relying on the safety of firewalls and physical networks and into their homes, one of the most critical steps organisations must take today is to provide the right access to resources and data to the right people and for the right period. This means managing information in an entirely different way.

Identity management ranks high today on the risk register for chief information security officers (CISOs). However, there remains a lack of understanding about this approach to security management from the broader C-suite. This is a challenge itself, as issues and looming crises vie for the top spots on ever-burgeoning corporate risk registers.

VIEW ALL

C-suite executives will growingly start to wear the burden of cyber breaches as the veil between personal and corporate liability begins to blur and scrutiny from shareholders intensifies. In fact, proposed changes to the Corporations Act will hold senior management, boards, governing bodies, and individuals directly responsible for implementing controls to protect information assets.

While these future regulations will only apply to ASX 200 companies, it may be a matter of time until these responsibilities cascade into the remit of unlisted company.

Important questions to consider

Chief officers across finance, operations, marketing and especially legal, all have a critical role to play in implementing effective identity and access management policy and practices. C-suite executives must ask themselves:

How will an identity-based cyber breach impact my strategic priorities?

Will I be able to comply with financial and commercial obligations?

What reputational risk will my department and organisation face?

Will key stakeholders, such as customers and vendors, lose trust in our business?

Hybrid and remote workforces have made cyber security and information access everyone’s responsibility. Many, however, do not understand the ecosystem of risk and what poor identity management actually looks like and how it can escalate into devastating information breaches.

Previously, traditional security models assumed that everything within an organisational network could be trusted. Now, remote workforces need to access files in shared repositories, such as Cloud computing, and from a combination of different devices.

The problem remains that without traditional network security, such as intrusion prevention systems, information can be accessed by anyone at any time across a much broader area, making it extremely difficult to secure sensitive data. Separate to that, without identity and access management processes, it can be near impossible to confirm exactly who is trying to get access to what, or should they have access to it.

C-suiters should familiarise themselves with the ‘never trust, always verify’ paradigm, where day-to-day operations give employees access to the bare minimum, and then elevates their access rights for the time needed to complete the task- and most importantly, removing those access rights once the job is done.

Good communication leads to more security

A typical example of over-privileged individual access rights is the employee lifecycle. You employ a person, give them company logins, which enables them to access vast repositories of data, often beyond seniority or department. When the employee leaves, you expect that access to be removed. More often than not, their logins remain, and they can still access critical organisational information.

Just last year, a large state government department in Australia experienced a cyber breach after a contractor was granted access to their portal, and their access had not been deprovisioned after their employment was finished. As a result, the external contractor could access and disseminate critical information more than 200 times within a year.

You can see that the responsibility lies not just with IT and CISOs but C-suite executives and departmental leaders that should be, for lack of a better word, ‘keeping tabs’ of those who are in and out of the business or team.

It is executives and leaders that understand who should have access to what information, when and for how long, and then relay this information to administrators and IT.

To communicate this information clearly, and uplift effective zero trust architectures, executives must prioritise identity and access management and collaborate with critical cyber players within the organisation, whether be IT departments or CISOs.

Now, executives must create a broader cultural shift, one that fosters governance attitudes and dynamic identity policies where C-suiters communicate with each other and act with agency.

We know this is problem that can easily solved. Businesses are rapidly transitioning into identity and access management technology that secures sensitive information. However, technology can only be as effective as the people and culture of an organisation, and the key to robust and effective cyber postures is C-suiters recognising that security starts at the top.

Serkan Cetin is the APJ technical director at One Identity.