Physical and network barriers that once separated corporate environments from the outside world no longer exist. In this new technological age defined by hybrid, multi-cloud and SaaS, identities are the perimeter. Any one identity—workforce, IT, developer or machine—can become an attack path to an organization’s most valuable assets.
With technology evolving at an unprecedented pace and new identities multiplying by 2.4x annually on average, CISOs must balance often-competing realities of past, present and future to implement effective identity security programs. This challenge may appear complex, but a proven and refreshingly simple “three-box solution” can help cybersecurity leaders create a winning strategy.
Understanding the “Three-Box Solution” Strategic Model
The “three-box solution” is a strategic framework created by Professor Vijay Govindarajan, a Wall Street Journal and New York Times bestselling author and globally recognized strategy and innovation expert. The model, as outlined in Govindarajan’s book, “The Three-Box Solution,” is based on an ancient Hindu philosophy of balance—in energy, time and resources—across three realms or “boxes”—present, past and future. Govindarajan posits that the more leaders plan for opportunity, the better the possibility of creating a successful future.
The “three-box” model promotes non-linear thinking—a shift in the traditional perception of time as a series of events. It suggests that to get to the future, organizations must construct it every day. Doing so means “managing the present” by optimizing existing processes and systems, “selectively forgetting the past” by eliminating outmoded practices that cannot stand the test of time and “creating the future” by innovating new ways of thinking and working. To be successful, leaders must demonstrate specific behaviors at each point on this continuum, as depicted in the below chart.
Applying the Three-Box Solution to Identity Security
Global organizations from GE to PepsiCo have applied this three-box model to transform specific areas of their businesses and, in some cases, their entire business models. CISOs and security leaders can also adopt this proven approach to enhance and advance their identity security strategies.
Box 1: Manage the Present
Managing the present focuses on optimizing robust security measures for existing identity systems. In many cases, this will involve:
- Protecting legacy systems. Legacy systems often lack modern security features, making them vulnerable to identity-related attacks. Implementing strong authentication mechanisms, such as multi-factor authentication (MFA) and regularly auditing access controls, are crucial steps. In some cases, leaders may opt to install a gateway to control and maintain visibility across legacy systems, fulfill audit requirements and isolate old systems.
- Enhancing monitoring and response. The focus on digital resilience—to meet business objectives and public missions to protect citizens—has never been greater. Visibility is key to resilience. By implementing comprehensive monitoring solutions that provide real-time visibility into user activities, security teams can detect and respond to suspicious behaviors promptly. Security teams are increasingly turning to AI to help secure privileged access across various environments and provide real-time support and guidance.
Box 2: Selectively Forgetting Outdated Identity Practices
To protect and optimize current systems, it is necessary to identify and eliminate outdated—or soon-to-be outdated—identity management practices. This may look like:
- Eliminating excessive privileges. Traditional identity management approaches often grant excessive privileges, increasing the risk of misuse. Adopting a zero standing privileges (ZSP) model, in which users receive the minimum level of privileges needed, only when needed, can significantly reduce this risk.
- Decommissioning outdated systems. Legacy systems that are no longer supported or secure should be decommissioned. This practice reduces the attack surface and simplifies the IT environment. Of course, this is not an easy task. So, design a way to isolate outdated systems to only entities that need restricted access to reduce known vulnerability exploitation.
Box 3: Creating the Future with Zero Trust and Modern Identity Security Solutions
Preparing for the future means embracing new security paradigms and technologies such as:
- Zero Trust architecture. The Zero Trust model assumes that threats can come from anywhere and mandates continuous verification of identities, device health checks and strict access controls. Implementing Zero Trust requires a shift from the traditional perimeter-based security model to one where access is granted based on dynamic risk assessments.
- Modern identity and access management (IAM). Employing advanced IAM solutions that support technologies like biometrics, adaptive authentication (based on risk levels) and machine learning can enhance identity security substantially. These technologies offer more accurate user verification and can adapt to changing threat landscapes.
- Zero standing privileges access in multi-cloud environments. Scoping just enough permissions to adhere to the principle of least privilege (PoLP) access means ensuring that permissions are limited to what’s necessary. Removing all standing access and enabling just-in-time (JIT) privilege elevation significantly reduces risks involving sensitive sessions in the public cloud. Security leaders are increasingly turning to SaaS solutions to help manage cloud access and enable operational efficiencies.
Three CISO Considerations for Checking the Identity Security Boxes
When applying the three-box solution to identity security planning, there are three important things to keep in mind:
- Balance innovation and security. While adopting new technologies to advance business objectives is crucial, organizations must ensure that transformation does not jeopardize legacy system security. A phased approach, prioritizing high-risk areas, can help manage this transition effectively. Many security leaders have turned to the CyberArk Blueprint for Identity Security Success to help them navigate this process.
- Build a security culture. Ultimately, security is all about people. Implementing new technologies and frameworks requires a significant shift in organizational culture. Emphasizing employee education and empowerment is crucial.
- Collaborate across the organization. Effective identity security requires collaboration across IT, security and business teams. Fostering strong communication channels and open, transparent dialogue will help ensure that security initiatives align—and stay aligned—with business objectives.
The “three-box solution” model offers CISOs and security leaders a structured approach for managing the inherent complexities of identity security. By addressing present challenges, phasing out outdated practices and embracing innovative approaches such as Zero Trust and zero standing privileges, CISOs will be better positioned to protect their organizations and face the future with confidence.
Claudio Neiva is CyberArk’s Security Strategic Advisor, Director (LATAM).
