The Hollywood view of cyber security gets all excited about zero-day exploits, but real incidents are all too mundane with hackers (or insiders) using legitimate access in illegitimate ways.
We have previously discussed 'Getting the best value from your identity tools' and taking a broader, risk-driven view of 'What counts as 'Privileged' access', and the challenges of applying nice clean access models to complex messy reality (and legacy systems) in 'The realities of IAM'.
In this blog, which is part of our latest Identity series, we’ll revisit some of the challenges discussed previously and how you can identify them in your organisation and make traction by linking them to business risk and business opportunity.
'Identity as the perimeter' is more than a marketing phrase. Modern IT environments no longer have a physical or logical perimeter with firewalls and data centres. The use of multi-cloud infrastructure and wide adoption of SaaS tools such as Workday, Office 365 and Salesforce mean your data and processes are everywhere - and that's before we look at your third parties, partners and all the access they need to work with you.
We need comprehensive approaches to identity and access management (IAM) that consider risk across your legacy environments and new cloud-based diaspora that allow us to make informed decisions about who should have access to what (and when).
We need good identity data and clear processes around how the identity data is maintained, shared and used downstream by applications. It may be an inconvenience to have someone's preferred name overwritten by their formal legal name in the internal address book, but more serious incidents can be caused by stale identity data - imagine an on-call doctor or engineer whose contact details are out of date during a critical incident.
As the Microsoft CISO Bret Arsenault put it "Hackers don't break in, they log in".
We have to be able to look at not only what access is out there assigned to identities, but also how it's being used - least privilege and zero trust are good goals to aspire to, but difficult to achieve in practice. For every identity that has access to your systems, you need to think about what an attacker could do with their access?
Once you consider the potential impact from over permissioned accounts, the benefits of reducing the amount of access to 'Just Enough' and limiting it to 'Just In Time' become more visible!
Monitoring 'Who Did What', having that audit trail of identities, actions and assets is increasingly as important as knowing 'Who Can Do What' - both in terms of managing the sprawl of under- or unused permissions, but also to detect anomalies that might indicate an attacker or malicious insider using legitimately granted access for an illegitimate purpose.
Combining the tools to manage identity data, authentication and authorisation, privileged access management, and identity governance and automation (IGA) is no small challenge - these are all critical operational technologies with significant impact on the day-to-day working of all your employees if they fail. But there are significant business benefits too - low friction authentication improves the user experience, good IGA and PAM controls reduce the risk of excessive access existing and being misused and increase the efficiency of on boarding processes - making sure IT access 'Just Works' rather than the days or even weeks of waiting that can be an accepted norm for some organisations.
It's not just about tools
When looking at getting a return on value from your tooling, historically many organisations have bought the tools (on-prem or SaaS), and then drastically underused the functionality available. One significant reason is deploying as a technology-led project and not building the operating model around the tool – to map it into business processes and provide a ‘full service’. Like buying the F1 car with no pit crew – you won’t win many races.
Savanti can help you retrofit an operating model to your existing tools, or plan one alongside a tooling refresh or technology migration.
A risk-driven approach
When you look at the broadening category of privileged access, it’s not just engineers accessing critical servers anymore. Privileged data or high-risk access in tools like Salesforce, Workday, cloud management consoles or even corporate social media mean that a risk-driven approach has to consider applying our privileged access controls to manage this sensitive access too.
Savanti would always advocate a risk-driven approach, and we can help you identify the non-traditional PAM use cases, the technical capabilities to bring them under control, and the operating and change management processes to roll out the new controls in a sustainable way.
We previously discussed the challenge of right-sizing access models and trying to balance abstract purity and complex reality, and how Savanti can help you navigate this process to find something that reduces risk and administrative overheads and is sustainable and usable.
There are many tools that can help review your current access and highlight patterns and clusters of access but getting access models right is still a mixture of art and science – artificial intelligence (AI) hasn’t solved this one yet!
Savanti can also help you gather the right data to make good decisions on an access approach which works for your business, allows you to manage your legacy systems without being held back by them - and get the benefits of ‘Best Of Breed’ tooling for modern cloud infrastructure where access rights have proliferated. The root cause of many security incidents is misconfiguration or unintentionally granted access (see the Cloud Security Alliances 2022 ‘Top Threats to Cloud Computing’ report)
Savanti are identity strategy and implementation experts and help clients at all stages of their security maturity to tackle the complex challenges that come with identity-centric security.