With the emergence of identity as the new perimeter, today’s enterprises are not neglecting its role in supporting digital transformation, cloud adoption and distributed workforce. According to A a recent report (registration required), 64% of IT stakeholders consider effective management and protection of digital identity to be either a top priority (16%) of their security program or in the top three (48%). Despite this, businesses continue to struggle with identity breaches, with 84% of security and IT professionals reporting that their organizations suffered from such breaches in the past year.
Getting buy-in for identity-centric security vital, but the rationale for investing in cyber security is not a FUD (Fear, Uncertainty and Doubt) trade. Pushing identity further into strategic discussions requires the ability to demonstrate business value – to demonstrate how identity-based security aligns with and supports business goals.
Almost all survey participants (98%) said the number of identities in their organizations is growing, with commonly cited reasons including cloud adoption, more employees using technology, stronger relationships with third parties and the rise in machine identities. In this environment, many of the modern businesses are under enormous pressure to provide seamless and secure access to data and resources in an increasingly distributed and complex environment.
This complexity, combined with motivated attackers and the increasing number of identities that need to be managed, does effective identity management is a critical part of business development operations. Among organizations that experienced an identity breach last year, common themes were issues such as stolen credentials, phishing, and mismanagement of privileges. The direct impact of a breach on a business can be significant, with 42% citing a significant distraction from core business, 44% citing recovery costs, and 35% reporting a negative impact on the organization’s reputation. Loss of revenue (29%) and customer churn (16%) were also reported.
Transforming IT needs into business needs
The arguments for focusing on identity are clear, but how do we begin to translate IT needs into business needs? The first step is to align the organization’s priorities with where identity-driven security can fit. Business goals tend to revolve around reducing costs, improving productivity, and minimizing risk. Therefore, conversations about identity-based security need to demonstrate how this approach can advance some or all of these points.
From a performance perspective, for example, tight identity management simplifies user initialization and access rights validation. This means that employees can be registered more quickly and any employee who leaves will automatically have their access revoked. Eliminating manual effort reduces the chance of errors, including over-privileged users creating unnecessary exposure risk. The more streamlined and automated the processes related to the management of identity data, the more efficient the business is – and the more secure.
As noted earlier, some of the driving forces behind the growth of IDs include the adoption of the cloud and the rise of machine IDs. The rise of machine identity is partly due to Internet of Things (IoT) devices and bots. IoT and the cloud are often part of digital transformation strategies that can easily get bogged down by access issues and consistent enforcement of security policies. This reality provides an opportunity to discuss security issues around how businesses can safely adopt these technologies without compromising compliance and security requirements.
A framework for discussing security in the context of a breach
Multi-factor authentication (MFA), for example, has been cited by many IT and security professionals as a measure that could prevent or minimize the effects of the breaches they have encountered. MFA is vital for ensuring access control, especially for businesses with remote employees or those using cloud-based applications and infrastructure. Like them or not, passwords are everywhere. But they’re also an attractive (and relatively easy) target for threat actors looking to gain access to resources and gain a foothold in your environment. Along with other identity-focused best practices that improve the security posture, MFA provides another layer of protection that can strengthen an organization’s security.
In addition to MFA, IT and security professionals commonly note that more timely privileged access checks and continuous discovery of all user access rights would have prevented or mitigated the impact of a breach. While many of these are ongoing, overall it appears that organizations are beginning to get the message.
When asked if their organization’s identity program was included as an area of investment in any of these strategic initiatives in the past year—zero trust, cloud adoption, digital transformation, cyber insurance investments, and supplier management—almost all selected at least one. Fifty-one percent said identification was invested in zero-trust efforts. Sixty-two percent said it was part of cloud initiatives, and 42% said it was part of digital transformation.
Getting started with identity-based security doesn’t have to be difficult. However, it requires understanding your environment and business priorities. Pa by focusing on how an identity-driven approach to security can support business objectives, IT professionals can gain the leadership they need to implement technologies and processes that will raise the barrier to entry for threats.