Subscribe
About

Future of cyber security requires learning from past mistakes

To be successful, identity and access management must be approached in a planned, phased and tested manner.
Paul Meyer
By Paul Meyer, Security solutions executive, iOCO Tech.
Johannesburg, 21 Feb 2023

Identity and access management (IAM) and zero trust solutions today are essentially the key to your digital kingdom. Past mistakes have amply illustrated it is short-sighted to solely rely on fallible perimeter and device-centric security controls.

Organisations are scrutinised in line with regulatory compliance laws pertaining to privacy and data, with non-compliance often resulting in severe financial implications in the form of fines, legal and remediation costs, immeasurable trust and reputational loss.

Protecting sensitive data not only pertains to hosting systems, but also to the credentials (users) and rights assigned to those who can access and possibly manipulate it. This has become a focal point in IT security, as organisations cannot rely on the awareness and skills of their users to protect their sensitive data and systems.

All is compounded by the fact that businesses today have applications and data deployed on-premises and across multiple cloud services, and they have user populations that demand access to information from any location and any device.

Zero trust requires that companies no longer assume trust and maintain strict access controls. The bottom line is that nobody is trusted by default, even those who are already inside the organisation are augmented by a policy of least privilege: granting access to only what is needed. Nothing more. Nothing less.

In South Africa, we are renowned for our resilience to "maak 'n plan" to get things done. This also relates to IT users across the globe that 'invent' innovative ways of bypassing organisational security controls to get their jobs done.

One thing I can guarantee is that you will not achieve regulatory compliance without a proven IAM solution that is deployed and fully functional.

This often has disastrous consequences and data is exfiltrated from under enterprise control and manipulated on private systems which are not secured for company data use.

As you can imagine, this approach highlights many security loopholes and much-needed security measures and policies that need to be applied. This can be daunting, as IAM solutions − including data loss prevention and multi-factor authentication − are complex, difficult to deploy and cumbersome to adopt and adapt to, in any organisation.

To be successfully accepted and correctly utilised, IAM needs to be approached in a planned, phased and tested manner.

One thing I can guarantee is that you will not achieve regulatory compliance without a proven IAM solution that is deployed and fully functional.

Luckily, some vendors have focused on this dilemma and brought us leading IAM solutions that are easier to deploy and integrate into diverse environments with in-house-developed applications and software.

Today's organisations need a new security model that more effectively adapts to the complexity of the modern environment, embracing the hybrid workplace, and protecting people, devices, apps and data wherever they're located.

Constantly innovating and assisting in managing the security chain of evidence on data and resource usage, IAM solutions offer a wide variety of features that enhance security posture significantly, including remote session recording that answers the age-old question: who is watching the watchers?

Zero trust makes this a lot easier. If you, even as a systems administrator, are not assigned the necessary rights to access a specific data set, or the system itself, you will be explicitly prohibited and prevented from doing so.

Gone are the days when one set of administrator credentials had access from the firewall to the domain controller so that when compromised, the entire enterprise was exposed.

I would like to provide clarity on the terminology. In general, identity management is concerned with authentication, and access management is concerned with authorisation.

A simple analogy would be when you arrive at the company headquarters on a Sunday morning, the security guard looks at your credentials and verifies you are who you claim to be − that's authentication. But he won't let you in because he says that given it is the weekend, you are not authorised to access the building.

Access management consists of a number of products that relate to how access to systems and resources is authorised.

Privilege management and delegated administration solutions help organisations to enforce least privilege. They also ensure administrators can only make safe, audited and specific manual changes within an active directory that complements the central identity policy.

This enables admins to define what identities can or cannot do on their local machines, such as add programs or save to a USB drive.

Zero trust calls for a higher level of security in a hybrid ecosystem that is not just focused on authenticating the identities of internal employees and their access to applications and cloud-based data services.

Digital transformation means organisations are interacting with mobile workforces, increasingly working from home or in coffee shops, and/or bringing their own devices.

These interactions, and the data collected − all powered by identity − may not be with a carbon-based life form, but with things, such as sensors on cars, or with services via application programming interfaces.

It's important to understand the organisation is not an island; it is interacting with partners, vendors, a supply chain − again driven by identity authentication and authorisation − that can expose the business to vulnerabilities. These partners may access a shared system, such as Salesforce or SAP.

Also, businesses are managing the identities of customers who need access to corporate websites, web portals and web shops − potentially at very large scales, also referred to as customer identity and access management.

This enables organisations to have a single view into what services their customers are consuming, instead of this data being siloed across mainframes and different apps with different e-mail logins. With this single view, a bank's marketing department, for example, can identify needs and target the customer with customised services.

In my next column, I will expand on the full security ecosystem and what needs to be implemented to achieve a successful IAM and zero trust scenario.

Share