Why identity management is a business problem, not a technology issue

As organisations expand operations out into the multi-cloud, identity management needs to be reviewed, reimagined and reprioritised.

Why identity management is a business problem, not a technology issue

As organisations expand operations out into the multi-cloud, identity management needs to be reviewed, reimagined and reprioritised.

Jody McCaskill
Jody McCaskillSenior Product Manager, Managed Security Services

Identity management isn’t ‘just’ a security issue anymore

It’s more wide-ranging than that and is now a responsibility for the whole organisation to share. It can’t really be classified as a technology problem either; today, it’s a business problem. Understanding identity from these perspectives is what can make the difference between thriving and driving forward in the multi-cloud world, and falling prey to a damaging attack.

Let’s look at what’s behind this critical shift in thinking, and what it means for your organisation.

Be clear-sighted about the identity management challenges in the cloud

Firstly, it’s important to understand why identity is bigger than ‘just’ a security function.

The impact of identity failure can be shattering. The moment you step into cloud operations, the number of attacks stemming from compromised credentials goes sky-high. Research estimates that 61% of attacks come from identity breaches and compromised credentials, but, based on my conversations with organisations, that seems a conservative figure.

This makes securing identities in the cloud critically important – but is also harder to achieve because the scope of identification widens significantly. In the cloud, it’s not just the identity of humans that needs securing, it’s also all the non-human elements that may request access to data and systems. Identity responsibilities run wherever data travels, whether it’s passing through the cloud or between APIs, generating a need for architectures to verify identities and provide trusted identity verification between clouds. In this scenario, it’s vital to monitor all your SaaS deployments to make sure they fit your security posture – and that’s a big undertaking. Securing privileged identities is a particularly sensitive challenge in this environment. Privileged Access Management  (PAM) can really come into its own here, right-sizing privileged access controls to minimise the attack surface from external attacks or from insider negligent or hostile activity.

Identity management solutions are only effective with the basics in place

But before you can start implementing robust identity management solutions, there are three fundamentals to get straight first:

Understand your scope

You need to know what you’re covering so you can maximise tooling capabilities – and establishing an accurate inventory is far from easy. This is a key area that organisations talk to me about a lot, looking for practical support.

Make cost vs value decisions

Some legacy applications are unique to the organisation and extremely tricky to move into a single sign-on environment, pushing up costs. Watch out for situations where it’s not worth making the investment in applications that are coming to end of life.

Know and monitor your administrators

In such a widespread environment where all your people as well as third parties can need access, it can be hard to keep track of everyone who has administrator status. But if you can’t monitor this, how secure are you really?
 

At this point, many organisations are ready to launch straight into implementation, but I still advise caution and further consideration.

Invest time in understanding the complexity of identity in the cloud

Taking a beat and finding time to understand the whole identity picture is invaluable in getting security right, from where the traditional end-user identifications apply through to the multi-cloud and beyond.

Map out where privileged access, authentication, access management and governance and assurance fit into security requirements that stretch across users and endpoints, the edge layer, managed cloud security and through to the network layer. And explore how micro-segmentation controls across the layers can minimise identity breaches.

In my day-to-day security practice, I’m spending a lot of time helping organisations to protect their edge layer, particularly when they’ve experienced mergers and acquisitions or need to allow third-party identity access controls.

Think identity ‘strategy’ rather than point solutions

As I track the development of the Privileged Access Management  landscape, I’m increasingly convinced that we should treat identity like data – recognising that it has similar sovereignty issues. Effective identity management solutions today should be able to flex to meet the regulatory requirements of different regions, so the organisation’s data assets are protected wherever they are held.

Given the complexity of all this, managing your identity platform across a global estate may be something you think about outsourcing. However, it’s important to remember that you can’t outsource accountability, even if you outsource operations. You’ll need to keep a close eye on who is responsible for what and feed this into your strategy management.

So, where does that leave you?

It’s clear that identity management is essential if you’re to have defence in depth, and that it’s a complex area to navigate. Because of this, it’s worth investigating how strategic partnerships can add value to your security by bringing expertise to the table, and how a through-life partner can take on a share of the risk.

Securing the multi-cloud, and everything in it

Our security experts see securing the multi-cloud as a holistic activity. Our approach highlights the importance of the identity of human and non-human users, admin accounts and endpoints. As part of this approach, we also prioritise protecting your data in transit and at rest, so you can meet your confidentiality, availability and integrity requirements.