Expanding Your Protection Across Today’s Global Enterprise
Recently, I was at an analyst event and heard some very interesting discussions about identity and the cloud landscape. During the event, the idea of transforming enterprise environments with new identity and access management (IAM) security strategies came up frequently in conjunction with the new demands and challenges companies are facing with cloud computing, mobility and advanced threats.
In this multi-perimeter world, identities are becoming a key security control on which enterprises need to focus. In the past, companies would manage everything from the inside out, and that approach was sufficient. These days, however, users can connect from outside of the enterprise as easily as from the inside through different collaboration channels. This means that identities are more exposed than ever and must become the first line of defense with threats.
Think about it this way: In the past, you would have sole access to the keys of your organization’s information kingdom, whereas now, employees, customers and business partners can enter through doors, windows and gates, often without your knowledge that they’re in, how long they’ve been in and what they’re even doing.
Redefining the Concept of Trust in Your Organization
Trust as a concept also came up quite frequently during the event in the context of cloud, including trust of users and their access. I thought about that and asked myself: “Who do we trust and what do we trust?” We trust technology and processes, but at the end of the day, we really trust people.
However, as the old adage says, we must “trust but verify.” Defense mechanisms are imperative to protect your data from insider threats because you need to know who has access to privileged accounts across the enterprise and what activities those people are engaging in with their privileges.
Having a privileged identity management solution permits you to monitor, record and report on all movements from power-users, but you also need to take it one step further with access control. We talk about enforcement of context-based authentication, since that’s one of the most effective methods to ensure we grant access to the right people at the right time. Access management requires a multilayered process for authentication, with mobile device fingerprinting, geo-location awareness, IP reputation and other personal information used to verify the user’s identity.
Mobile and Cloud Security: “Trust but Verify” Your Users
We definitely enjoy the freedom of working and acting more independently with mobile and cloud, but this newfound freedom requires rules and boundaries so we don’t increase the risk of data leakage and brand damage. No one appears to be immune these days, as identity involves both the user and the device itself, and companies need to get a handle on both.
Let’s face it — if you cannot control, proof, audit and manage your identities, you have a big security problem. Has identity and access management become more complex over the years? Yes, absolutely; however, ignoring the trends is not an option. So what are the next steps you may want to consider? Here are the ABCs for securing identities and their access.
A = Analytics
A growing number of users are accessing your IT systems, applications and data in more ways than ever before. On the other hand, the fraud and threat landscape is also evolving rapidly. Companies struggle to control and stay ahead of complex and dynamic IT environments. According to the 2012 IBM Global Reputational Risk & IT Study, 61 percent of organizations said that data theft and cybercrime were their greatest threats.
In response, enterprises need to become threat-aware and implement analytical tools to detect and report on anomalies, prevent fraud, block attacks and provide secure user access across the entire enterprise.
The bottom line is that the smarter you are about your everyday business operations, the better your overall position will be for defending yourself against security breaches. The adoption of IAM analytics not only provides you with closed-loop processes for regulatory compliance, but should also reduce risk and costs (I believe it will reduce your blood pressure as well).
B = Beyond Traditional IAM
A recent IBM study found that a majority of security leaders consider identity and access management to be more vital to infrastructure defense than any other technology. Why is that?
Just think about how many more people are connected to the enterprise today than in the past, how many more devices are active and how we collaborate on a 24/7 basis across the globe. The volume and complexity of information exchange has expanded dramatically and brought with it the challenge of protecting our businesses both internally and externally.
Research says that 50 percent of employers will require some form of BYOD for work by 2017; at the same time, Arxan has reported that 90 percent of the top mobile apps have been hacked in some way or another. Thus, mobile can represent a serious security threat to your organization if you don’t have the right plan for it.
In sum, while enterprises are adopting the latest and greatest technologies to become more innovative, security concerns need to be assessed and addressed in a timely and proactive manner.
C = Cloud
Cloud is a reality, and in the upcoming years, we will see more and more enterprises sharing their data and applications in the cloud. Meanwhile, as companies move to SaaS-based models, so will identities as stakeholders access different repositories and information stores. Gartner expects the biggest growth to come from identity-as-a-service (IDaaS), which is a combination of administration, account provisioning, authentication and authorization. This new business model will require a new, nimble approach to IAM and even greater insight into user behavior.
Ultimately, the goal of security comes to one dominant focal point: Protecting data. And who has access to data? People do! Therefore, you need secure and monitor identities since those are simultaneously the strongest and weakest links in your security chain. Thus, your approach to securing people needs to evolve from being satisfied with the technology you currently have to support user administration. Instead, you need to proactively block insider threats and comply with security regulations, basing your decisions on analytical insight into what users are doing.
Manager Segment Marketing, IBM Security Systems