In season three of The Office, prankster Jim Halpert impersonates his coworker Dwight in what has become one of the show’s most iconic cold opens. While Jim only intends to tease, his prank is more poignant than he perhaps realizes. Together, we all learned from Dwight that “identity theft is not a joke” (and that bears don’t eat beets). We may have laughed then, but it’s true — especially when it comes to the “perimeterless” enterprise networks and cloud-based technologies and services empowering most digital enterprises today.
But first, let’s start with a definition. In the enterprise sense, when we talk about a “digital identity,” we’re talking about someone or something associated with an organization. That could mean an employee or customer or partner — or it could mean a non-human device, application or even a bot. There are also policies attached to a digital identity to describe the level of access that particular entity has to company resources and sensitive data.
Converging trends such as the adoption of SaaS, public cloud-based tools and flexible work-from-home policies have dramatically increased the numbers and types of identities within organizations. This explosive growth has created a host of new Identity and Access Management (IAM) challenges, prompting a surge in identity-related data breaches and necessitating a shift in how companies approach cybersecurity at a fundamental level. The convergence of these trends has given rise to the need for Identity Security. Identity Security is a holistic, risk-based approach to securing human and machine identities to protect sensitive enterprise applications, infrastructure and data. It offers a set of technologies that are foundational to achieving Zero Trust — a popular cybersecurity framework requiring every identity, whether internal or external, to be authenticated and authorized before access is granted.
“Zero Trust” and other popular industry phrases like “assume breach” and “defense-in-depth” are often associated with Identity Security-related topics but understanding how they’re all connected can be tricky. Even IAM teams often say they could use some help in communicating the importance and inner workings of Identity Security in ways that various stakeholders can easily understand.
That’s why a simple how-to guide can come in handy and why we recently published our own version of the popular “For Dummies” book series. Highlighting plenty of real-world examples without the technical jargon, “Identity Security for Dummies” aims to make this important security topic more approachable.
Download it, bookmark it, even print it out (if that’s still your thing) — and refer to it whenever you’re looking for simple definitions and quick answers. For instance, you can dig into these six actionable steps for accelerating your Identity Security program:
1. Prioritize your Identity Security landscape
Most cyber attacks begin with identity compromise. After acquiring a valid set of credentials for an identity, attackers often work to uncover new levels of access — or “escalate privileges” — by targeting privileged accounts that open doors to IT systems, public cloud infrastructure, business applications, sensitive data and more.
While privileged accounts are often the No. 1 target for attackers, many organizations are unaware of the volume and location of privileged accounts throughout their IT environments. And on a very basic level, it’s tough to protect what you can’t see — or don’t even know about.
Implementing a successful Identity Security program starts with taking inventory of privileged accounts, credentials and misconfigurations that can create risk, and making note of what systems and data are most likely to be targeted. Once those have been identified, take stock of who (or what) has access to those high-risk assets.
Prioritize securing the most important things first — that means protecting the data most sensitive to your organization. Then you can work toward those assets that are less sensitive. Keep in mind that attackers may attack at a slant — looking for a foothold that they can use to pivot to bigger and better things.
2. Identify potential “new” targets
Once existing highest-priority assets are protected, then you can start planning for the future. That includes following where the logins are coming from and monitoring processes and procedures (both manual and automatic). Analytics and automation can be extremely helpful when it comes to sifting through logs associated with sensitive applications to understand who or what accessed what resource, when, for how long and for what purpose — helping you avoid the overwhelm of “analysis paralysis.”
3. Implement effective Multi-factor Authentication
Multi-factor Authentication (MFA) is an important control to help keep an identity from becoming compromised. However, MFA itself is not perfect. End users can still be tricked, no matter how well they paid attention to the last security training.
There are ways to tighten up MFA to help reduce the risk and keep it effective, including tools like biometrics (fingerprint or face recognition, for instance), push notifications on smart devices, device certificates (digital identifiers on approved devices) and more. Reducing manual password use not only increases the strength of security, but it also creates seamless logins for users — an operational and security win.
4. Protect high-risk access with Privileged Access Management
As organizations embrace cloud, DevOps, automation, IoT and more, the need for protecting privileged access continues to grow. Privileged Access Management (PAM) solutions are used to limit risk regarding infrastructure and administrative access to sensitive applications, systems and data. PAM solutions help manage, monitor and control access so that identities — human or machine — only have enough access to do what they are meant to do — nothing more, nothing less.
5. Allow just enough access to get things done
Privileged Access Management programs dovetail into a least privilege, Just-In-Time (JIT) approach for privileged access. JIT combines the concept of least privilege access with a time-based element. Users have the proper permissions and access for only a specific amount of time to resources necessary to do their job.
6. Motivate cultural change
Embracing an Identity Security approach on the path to Zero Trust isn’t just a “one and done” program. It’s also a mindset and requires a cultural shift that demands involvement and action from stakeholders beyond traditional IT infrastructure and security teams.
While quick action and risk reduction can be attained, deploying comprehensive Identity Security controls across mid- to large-sized organizations will happen in iterations and calculated and prioritized based on your greatest risks.
Communication and Organizational Change Management (OCM) is key for Identity Security programs to succeed — and support must come from the top. Beyond communicating security benefits, users should understand how Identity Security can benefit their daily work lives and improve operations while reducing risk.
So, where to begin with Identity Security? Zero Trust provides a strategic lens to evaluate where your organization stands today. And whether you’re just getting started on your Identity Security journey or taking your program to the next level, “Identity Security for Dummies” can help drive focus and overall progress toward your goals. With everyone looking through the same lens, you can determine the strength of your posture and come up with your next move. We suspect Dwight Schrute would approve.