Firstly, it’s important to understand why identity is bigger than ‘just’ a security function.

The impact of identity failure can be shattering. The moment you step into cloud operations, the number of attacks stemming from compromised credentials goes sky-high. Research estimates that 61% of attacks come from identity breaches and compromised credentials, but, based on my conversations with organisations, that seems a conservative figure.

This makes securing identities in the cloud critically important – but is also harder to achieve because the scope of identification widens significantly. In the cloud, it’s not just the identity of humans that needs securing, it’s also all the non-human elements that may request access to data and systems. Identity responsibilities run wherever data travels, whether it’s passing through the cloud or between APIs, generating a need for architectures to verify identities and provide trusted identity verification between clouds. In this scenario, it’s vital to monitor all your SaaS deployments to make sure they fit your security posture – and that’s a big undertaking. Securing privileged identities is a particularly sensitive challenge in this environment. Privileged Access Management  (PAM) can really come into its own here, right-sizing privileged access controls to minimise the attack surface from external attacks or from insider negligent or hostile activity.

But before you can start implementing robust identity management solutions, there are three fundamentals to get straight first:

You need to know what you’re covering so you can maximise tooling capabilities – and establishing an accurate inventory is far from easy. This is a key area that organisations talk to me about a lot, looking for practical support.

At this point, many organisations are ready to launch straight into implementation, but I still advise caution and further consideration.

Taking a beat and finding time to understand the whole identity picture is invaluable in getting security right, from where the traditional end-user identifications apply through to the multi-cloud and beyond.

Map out where privileged access, authentication, access management and governance and assurance fit into security requirements that stretch across users and endpoints, the edge layer, managed cloud security and through to the network layer. And explore how micro-segmentation controls across the layers can minimise identity breaches.

In my day-to-day security practice, I’m spending a lot of time helping organisations to protect their edge layer, particularly when they’ve experienced mergers and acquisitions or need to allow third-party identity access controls.

As I track the development of the Privileged Access Management  landscape, I’m increasingly convinced that we should treat identity like data – recognising that it has similar sovereignty issues. Effective identity management solutions today should be able to flex to meet the regulatory requirements of different regions, so the organisation’s data assets are protected wherever they are held.

Given the complexity of all this, managing your identity platform across a global estate may be something you think about outsourcing. However, it’s important to remember that you can’t outsource accountability, even if you outsource operations. You’ll need to keep a close eye on who is responsible for what and feed this into your strategy management.

So, where does that leave you?

It’s clear that identity management is essential if you’re to have defence in depth, and that it’s a complex area to navigate. Because of this, it’s worth investigating how strategic partnerships can add value to your security by bringing expertise to the table, and how a through-life partner can take on a share of the risk.

Our security experts see securing the multi-cloud as a holistic activity. Our approach highlights the importance of the identity of human and non-human users, admin accounts and endpoints. As part of this approach, we also prioritise protecting your data in transit and at rest, so you can meet your confidentiality, availability and integrity requirements.