Originally published in HelpNet Security on June 25, 2019.
Many organizations are finding themselves between a rock and a hard place when it comes to the security of their digital transformation strategies. On the one hand, the number of data breaches continue to increase and damages stemming from cybercrime have businesses losing more than $3.86 million on average, per breach, according to the Ponemon Institute.
On the other hand, spending on IT security continues to take up a greater share of budgets as businesses try to protect more applications, data and services which are increasingly run from the cloud. In fact, Gartner predicts the global spend on information security will surpass $124 billion this year.
So, what is the best way for companies to maximize their digital transformation efforts as the data breach threat and costs continue to grow? Let’s dive deeper.
One model opens the door for the other
The idea of simply protecting the network perimeter has grown to be an archaic perspective on security. This model was created during a time when employees had to physically be present in offices to connect to business systems. Today’s age is one of proliferating network access points with the rise of the internet, the cloud and the mobile workforce. The sources of network access are far too many for a traditional perimeter model to handle effectively.
A handful of organizations are attempting to tackle this issue by pushing all network traffic through a proxy (WAM or traditional network security appliances) to preserve the perimeter. However, this model cannot effortlessly scale up, can negatively influence the user experience and undercuts the core advantages of the cloud which is that it is continuously available. The question then arises – why would an organization direct all user traffic including remote users to an on-premise proxy that can crash, inhibiting workers from doing their jobs, when more capable and secure technologies already exist?
More companies are increasingly looking to adopt a zero trust outlook, choosing to authenticate all devices and trust none. At the start, this model rejects the thought that internal users and machines can automatically be trusted. Instead, all users, technologies and network infrastructures are labeled as untrustworthy by default.
IAM’s position in zero trust
Zero trust models are built around strong identity and access management (IAM) and therefore cannot survive without these tools. Establishing a user’s identity before allowing them to step into the network is the central piece to this model. Security teams are employing features such as multi-factor authentication (MFA), single sign-on (SSO) and other core IAM elements to confirm each user has a high assurance session, is using a valid machine and is accessing the appropriate types of file shares.
As time moves forward, companies will need to ensure that access to all sensitive information is verified, wherever the information resides in their network. IAM will become an even more prominent pillar of organizations’ zero trust strategies. This will play out in a number of different scenarios including:
- To help security teams link data assets and information packets to select users on business networks, future IAM technologies will use greater integration to plant identity data into data protection and network forensic systems.
- As security professionals adopt more IAM solutions, they will be able to maintain identity records and bind them to employee access rights. Before taking this step, security pros should appoint data access privileges to workers and include data properties into all access-certification campaigns.
- The days of clients having to install every piece of technology are coming to an end and making way for API-based microservices. This approach is making an impact on security and it is expected that providers will adopt it. As a result, many of the burdens associated with applying IAM tools will be alleviated for those following a zero trust mindset.
Today is an ideal time for organizations to start implementing a zero trust outlook as they’re growing increasingly vulnerable to data breaches stemming from compromised identities. To kick things off, they can incorporate fundamentals like MFA and access management into their own corporate settings.
MFA is a critical function within organizations looking to validate and protect access to networks, due to its ability to assess additional contextual attributes of a login attempt. Coupled with a consolidated access management solution, businesses can improve productivity with simple, secure access to cloud services and guard their assets as IT admins are equipped with granular controls and comprehensive reporting capabilities.
Additionally, end-users are given authentication methods that best suits their role and security profiles. Without a centralized structure in place, organizations may run into issues involving lack of visibility into the network, problems with employee password fatigue, and even increases in overhead costs.
Security is elevated when these technologies work together; the number of threats ultimately diminish as critical entry points are covered. Organizations must arm themselves today with these solutions, because they are the future.