A Question of Identity: The Evolution of Identity & Access Management

The cloud is the de facto platform for delivery of applications and services in the modern digital era. Identity as the new digital perimeter is the cornerstone for assuring secure "Anytime, Anywhere, Authorized" access to protect enterprise security and privacy. Zero Trust and SDP complement Identity to secure the extended enterprise ecosystem given the rash of supply chain attacks and exponential growth of IoT devices, many of which lack adequate security. Self-Sovereign Identity (SSI) is a bold new frontier in identity and access management (IAM).

People, process & technology framework

A successful IAM program requires all three dimensions—people, process, and technology—working in concert to enhance the user experience, fuel efficiency gains, and minimize enterprise risk.

• People: Business relationship management between HR and IT is essential for a successful IAM program. End-user training and awareness can also help mobilization and wider app integration. Extending "The Power of Federation"—my philosophy that trusted partnerships and alliances have the power to lead change because we are better together—across the enterprise ecosystem to customers, suppliers, and partners is also mission-critical to protect the supply chain.
  
  
• Process: A map showing the current and future state business processes is a key tool when leveraging lifecycle management powered by the HRIS system and the ILM framework for automated provisioning and deprovisioning. This can illustrate benefits and efficiency gains as well as the change in roles in responsibilities due to automation.
  
  Further, use blueprints of key business processes to design workflows. IAM centralizes and automates the identity and access management life cycle, creating automated workflows for scenarios such as a new hire or a role transition. This can improve processing time for access and identity changes and reduce errors. Processes enable Identity to power people-centric security.

• Technology: Technology is the foundation for an IAM program delivery within a layered security architecture. IAM has two primary pillars:
  • Identity Enablement: This means single sign-on, multifactor authorization for "anytime, anywhere" authorized access and human resource information systems—or HRIS—powered lifecycle management for automatic onboarding and offboarding, which is a major value-add.
  • Identity Governance: This concerns the business processes and guard rails for effective IAM service assurance.

Zero Trust and Software Defined Perimeter

Zero Trust security requires that cybersecurity professionals stop trusting packets as if they are people. It eliminates the principle that there is a trusted internal network—or the "castle and moat"—and untrusted external networks. In Zero Trust, all network traffic is untrusted.

Zero Trust eliminates the "castle and moat" view and postulates that all network traffic is untrusted.

Zero Trust transforms conventional network-based security by changing the focusing security centered on users, applications, and data. It leverages Identity as the new digital perimeter. In a sense, Zero Trust enacts micro-segmentation stratified by Identity.

Zero Trust requires a culture change to manage security from the inside out and entails:

• Providing users with the least amount of access needed
• Verifying whether users are internal or external always
• Enacting business process architecture and data flow mapping
• Enhancing privacy safeguards, adding business value, and minimizing risk

Zero Trust strengthens access controls for the extended enterprise ecosystem. It leverages a federation of technologies across the Services, Application, and Infrastructure dimensions of a layered security architecture, including:

• Identity & Access management (+MFA)
• Enterprise Mobility Management
• Privileged Access Management
• Encryption
• Software-Defined Perimeter
• Orchestration
• Analytics
• Risk Scoring

Software Defined Perimeter (SDP), aka the "Black Cloud," enacted by the Defense Information Systems Agency in 2007, has evolved into a Cloud Security Alliance (CSA) framework for enhancing network security architecture in hybrid and multi-cloud environments.

SDP enforces the need-to-know principle by verifying device posture and identity prior to grating access to applications. It has been known to effectively combat common network-based attacks. SDP extends Zero Trust by controlling access to applications and digital resources dynamically, based on the three key dimensions of User Identity, Device Security, and Session Risk.

The author postulates the notion of the "Identity Coin" with two sides as follows. Session risk evaluation secures every connection attempt dynamically based on these factors.

• Physical: Person, Device, Location
• Logical: User Attributes, Behavior, Context, Patterns, and Role

The trifecta of Identity, Zero Trust, and SDP together:

• Diminish risk
• Enhance agility
• Strengthen security & privacy
• Increase visibility
• Reduce costs
• Reinforce breach protection

A trend fast gaining momentum is the shift from legacy VPN to cloud powered Zero Trust Network Access (ZTNA) to strengthen enterprise security and scalability. Gartner has projected that by 2025, more than 60% of organizations will move away from VPN and rely on ZTNA.

[RELATED: Death of the VPN: A Security Eulogy]

VPNs have notably higher operating costs and lower scalability when using device-based architecture. VPNs have also manifested weaker security, including:

• VPN hijacking: Unauthorized users take over a VPN connection remotely
• Man-in-the-middle attacks: Attackers intercept data in transmission
• Weak user authentication: Absence of Multi-Factor Authentication
• Split tunneling: Using an insecure internet connection while accessing the VPN—"chink in the armor"!

Nation-state attackers have exploited high-severity vulnerabilities in legacy VPN platforms to breach networks.

Caveat: There may be specific use cases such as legacy applications where using VPNs is the only option. In this case, CISOs must manage the risks due to the technology debt.

ZTNA enhances business agility via a more scalable and secure identity architecture. Adoption of ZTNA can help save money and minimize enterprise risk. ZTNA enhances security and privacy by deploying a "cloak of invisibility" while enacting "Anytime, Anywhere, Authorized" access.

Identity Governance (IGA)

Challenges abound in the enterprise that are opening the door to greater compliance and security risk.

• Ninety-five percent of cybersecurity breaches are due to human error (Symantec Internet Security Threat Report).
• Seventy-nine percent of organizations have experienced an identity-related breach (Identity Defined Security Alliance).

Every organization is dealing with the proliferation of increased application. Adding to this wave of applications, business users are now extracting and creating more files and documents stored in a growing variety of ungoverned file storage systems. With a rising tide of external and internal threats, together with a lack of control and visibility to sensitive files, organizations have put themselves in a position fraught with risk.

Though the number of applications and the volume of data will continue to grow as threats persist, a comprehensive Identity Governance approach can help mitigate the risk presented by these challenges. Organizations must take a comprehensive approach to Identity Governance that encompasses both applications and files. By extending identity governance processes to also include data stored in files, organizations can apply a common set of controls across enterprise applications and data.

Whether the data resides within applications, or across various file servers or cloud storage systems, you must consistently address compliance requirements and secure data from threats. This strategy now provides a more complete sphere of governance across applications and files by putting identity at the center of security and IT operations.

Identity Governance is mission critical and can complement Zero Trust by helping manage:

• Provisioning / Deprovisioning Lifecycle
• Access Requests
• Password Management
• Access Certifications
• Separation of Duties
• Identity-centric File Access Management
• Identity-centric Cloud Governance
• Access Analytics and Modeling
• Principle of Least Privilege
• Data Security & Privacy

Traditionally, identity management models are workforce centric. CISOs must now envision and enact holistic supply chain identity strategies for provisioning identities to individuals, systems, and IoT devices outside of but connected to the company.

An identity strategy enabling an interwoven supply chain needs to extend beyond the enterprise boundary to customers, partners, suppliers, connected devices, and the relationships between them. It is mission critical to understand and manage these myriad relationships and connections. They represent the touch points and interfaces to systems and data, where the security and privacy risk nexus exists.

Data characterization / permissions, access control and lifecycle management powered by Blockchain, and digital trust models are rising to the fore. These can help strengthen IGA for the supply chain. However, business process and relationship management are also critical; e.g., suppliers should take away access to exited employees and not recycle IDs, as well as inform the host company of key exits.

Identity and the Internet of Things (IoT)

It is important to enact proactive control strategies for IoT devices via the strategic dimensions:

• Device Visibility
• Policy Definition
• Behavior & Risk Analysis
• Policy & Standards Enforcement
• Identity Lifecycle Management

The following IoT Security Guiding Principles are foundational for deploying an IoT strategy:

1. Characterize: Identify and classify assets and stratify them by business value and risk
2. Demarcate: Implement network zones and clear segmentation between IT and OT networks.
3. Understand: Visualize and identify threats and vulnerabilities across networks inclusive of devices and traffic.
4. Unify: Control access by users and devices across both secure wireless and wired access.
5. Adapt: Leverage Zero Trust principles to enact adaptive control schemes in real time.
6. Converge: Develop explicit third-party access and risk management protocols including Privileged Remote Access, which are particularly relevant to OT networks to strengthen the security architecture.
7. Beware: The following root causes have led to IoT device security issues in the past. Keep a proactive eye out for static credentials, unpatched and unencrypted devices, and API security gaps.

Specific rules of engagement for IoT Identity:

• Identify a naming system for IoT devices.
• Establish an IoT identity lifecycle.
• Enable data driven device registration.
• Define security protocols & safeguards.
• Design and deploy an authentication / authorization process.

Self-Sovereign Identity is a bold new frontier in Identity Management. It promises to enable everyone to take charge of their own identity like a "sovereign country" in a secure digital trust world. SSI leverages Blockchain for identity assurance to enable everyone to control their identity and digital credentials.

SSI postulates protection of privacy via a secure and trustworthy identity management framework, and enacts a digital passport to authenticate one's identity using own credentials. Thus, SSI will eliminate the need to give up control of personal data each time for new services. Consequently, it minimizes the risk of individual identity theft by hackers.

Championing IAM as a business Enabler

Framing IAM as a strategic business enabler is a multi-step conversation.

Enterprise risk:

Business drivers for deployment of an IAM solution that minimize enterprise risk are:

• Employee Onboarding & Off-boarding
• Cloud Computing Governance
• Intellectual Property Protection

Macro environmental factors:

The 2020 Verizon Data Breach Investigations Report (DBIR) found that more than 80% of hacking-related breaches leveraged stolen and/or weak passwords. An IAM solution with adaptive MFA combined with Zero Trust can help minimize this risk.

Business drivers:

• Compliance/audit requirements
• Cost savings and efficiency gains
• Breach prevention
• Minimize/avoid stolen or misused credentials
• Leverage analytics and risk-based authentication
• Support distributed work in a scalable secure manner

Strategic imperative:

• Position IAM as a strategic cornerstone for the security program.
• Leverage tools such as the Intel Business Value Index to illustrate.
• Link IAM to business objectives (e.g., M&A).

IAM is a strategic business enabler and helps assure effective enterprise security and privacy. The ability to enhance data protection is mission critical due to global privacy regulations such as the Global Data Protection Regulation (GDPR) where potential fines range from 20 million euros up to 4% of global revenue.