At the start of the pandemic, security decision makers were focused on making remote work feasible — fast. They revamped Identity and Access Management (IAM) strategies, cobbled together what they had and accomplished technical feats in tight timeframes. They worked around the clock, made some tough calls and cultivated unexpected new leadership skills along the way.
Today, these security leaders are turning those rapid response plans into permanent Zero Trust-centered cybersecurity programs. You could call this the “era of second chances,” as CyberArk Chief Strategy Officer and Head of Corporate Development Clarence Hinton recently described it during a fireside chat featuring a Forrester analyst. But the pressure is on to get it right.
The Era of Second Chances for Security Decision-Makers
“We’ve seen three megatrends — digital transformation, cloud migration and the shift left — in flight for some time,” said Hinton. “The pandemic had a dual effect of accelerating each of those trends, while introducing the work-from-anywhere dynamic.”
Now, two years into countless iterations of “the new normal,” there’s actually no such thing as “normal” at all: some workers are back in the office, others are on the road, some are at home and many others are taking it day by day. Meanwhile, technology keeps moving to the cloud to enable anywhere, anytime innovation and improve both customer and employee experiences. And across the now-borderless enterprise, the number of human and machine identities continues to climb.
“Each human user has a different level of access to different corporate systems. Machines — from RPA bots to API calls — each have their own entitlements, though they’re often overlooked or poorly controlled. And out of the gate, there can be thousands of entitlements to any given cloud platform,” said Hinton. He described this untenable situation as an “overall proliferation of privileges” and that “we’ve reached a point where ‘identity’ and ‘privilege’ have become almost synonymous.”
All the while, attackers keep innovating. “From big game hunters and organized cyber crime syndicates to nation state actors, it’s safe to say we’re in the most expansive cyber threat landscape ever seen,” Hinton said.
On the bright side, security leaders’ show-me-the-money cries are finally being answered as cybersecurity becomes a Board-level issue. Between the budgets they’ve earned and lessons they’ve learned, many teams now have an opportunity to modernize their IAM infrastructures with Identity Security technologies that enable greater agility and pave the way for Zero Trust.
Four Tips for Smarter Security Spending
There’s a sense of urgency — which is a good thing. But you must have a plan, cautioned Hinton. It may seem on the surface that achieving Zero Trust is a bit like boiling the ocean — instead, the challenge should be broken into achievable initiatives based on risk. So, the question becomes, “How do I sequence my security spending in the most effective way possible?”
Hinton shared perspectives on how the following steps can help drive more informed decision-making:
- Conduct a maturity assessment. Even if you’ve done one before, do it again. It’s like getting a regular health physical: you’ll see what’s in great shape and pinpoint deficiencies to address before they become real problems.
- Align with business priorities. Map security controls to key business priorities and see how well they line up. Perhaps your organization is planning to launch a new digital transformation initiative and your on-premises Privileged Access Management (PAM) system won’t scale to meet the needs of the program. Such gaps should be high on your priority list.
- Identify high-risk areas. Determine where you can mitigate the most risk in the shortest amount of time. For instance, organizations will often prioritize protections for identities — and their related privileged credentials — that can be exploited to control an entire environment, such as domain admin and cloud admin accounts. For some organizations, this may first require a discovery exercise to uncover identity and privileged access-related weaknesses across hybrid, cloud and DevOps environments.
- Examine your metrics. Take a hard look at the security metrics you have in place. Are they truly useful in demonstrating program maturity and overall value? And are you reporting these metrics effectively to stakeholders at various levels of the business? Incorporating these foundational elements into your reporting architecture can help optimize your existing program and find new opportunities for automatization and standardization.
These steps can help you prioritize your efforts but always keep the larger picture in mind. “There is no shortcut or easy button — you have to approach security holistically,” Hinton said.
Passwordless: A Zero Trust Priority
For many security and IAM leaders, tackling the password problem is a top item on their lists. “You could argue that passwords are the weakest link,” Hinton said. They’re so often what attackers use to get in the door and what attackers go after once they’re inside to escalate privileges. Not to mention end users, who juggle 80+ passwords on average, are fatigued or fed up entirely with passwords.
“The concept of a passwordless environment has been around for some time, but until recently, it was mostly wishful thinking — the stuff of science fiction,” Hinton continued. “But now, device-based authentication, biometrics and even behavioral analytics are making passwordless more attainable.” Industry standards such as FIDO are also evolving alongside technology to help reduce the world’s reliance on passwords and make authentication simpler and stronger.
With identity at the forefront of security conversation, now is a good time for security leaders to put that passwordless pilot program into motion, encouraged Hinton. It will be a big shift, so start small. For instance, work first with your IT team, which is typically comprised of highly privileged users, and then expand to a business unit that’s willing to partner with you through some initial growing pains. It’s a long-tail approach, but it’s one that will ultimately benefit everyone.
A strong passwordless experience — one that authenticates each identity with a high degree of accuracy — is a foundational Zero Trust component. When combined with broad least privilege enforcement, context-aware access controls and continuous monitoring mechanisms, organizations have a structured way to secure each identity — human or machine — without slowing things down.
In looking for ways to maximize this “second chance” at IAM success, consider the business impact of your security spending decisions, Hinton encouraged. Enhanced productivity, user experiences and customer value are what define successful companies. And that’s what an identity-centric approach to security can do.