Merriam-Webster defines identity as “the qualities, beliefs, etc., that make a particular person or group different from others.” These qualities are what make identity relevant to the concept of security.
Digital transformation and the increasing reliance on remote business continue to accelerate the adoption of new approaches for securing an individual’s identity and his or her rights to access information and systems in the cloud.
IT leaders, for their part, face new business demands that require digital trust across every interaction and channel, and the imperative for 2022 is the need to empower Identity and Access Management (IAM) teams to support ongoing change driven by the evolution of technology best practices and change in organisational priorities, user expectations, and opportunities and threats.
Jeffrey Kok, vice president of solution engineer for Asia Pacific and Japan at CyberArk, says every person accessing every application, computer and device exists as a form of identity.
“This can be administrators, IT privileged users, vendors, and machines. Identity security provides a holistic, comprehensive platform to secure these identities, using a consistent way to manage all the identity controls across the cloud, on-premise or hybrid environment,” he added.
IT security itself has been around for decades. Why is it more commonly used now?
Jeffrey Kok: People realised that IAM is insufficient to address the needs of the modern enterprise as organisations adopt cloud and digitalise.
“Many organisations don't use a holistic approach to secure their data and the tools used such as multi-factor authentication (MFA), virtual private network (VPN) and single sign-on (SSO) are often siloed.”
Jeffrey Kok
This results in operational inefficiencies. Identity Security was coined to use a holistic approach to encompass all these identity requirements into a single platform.
When I mentioned the word identity security to professionals, most of them say, we already have IAM, and that for us is identity security. What is wrong with this perception of IAM?
Jeffrey Kok: Having IAM is like having a Nokia phone. Today, when you say it having a phone, IT security is like having a smartphone. They're both phones and includes the word Identity and Access. But the objective, user experience as well as value proposition are different. You may have the components of IAM, but if they are disparate, you can't cover everything in the environment.
An identity security approach enables components to come together as a single platform, to define what a user has, what it can access, and have visibility across the entire environment to get more ROI. The traditional IAM is a good start, it sets the groundwork, but organisations can take the next step using identity security.
What is the best practice for putting together a holistic Identity Security strategy?
Jeffrey Kok: Identity Security doesn't require you to use everything from a single vendor. Organisations need to have a central place where they can define where all the definitions and where all the components can be potentially interchangeable.
Having a common platform where I can define and choose all the different types of authentication factors is key. We can define what these users have access to and how to secure them in different use cases, whether it is an SSO to a web-based application or logging into a Windows Server, Linux server or the cloud.
Organisations can then set a common rule and secure the identity through monitoring and analysing all the activities that this user has, then define the requirements from it.
By adopting these next-generation identity security platforms, organisations can define more use cases and have better integrations with the different technology vendors. If the user starts doing something off, it can identify these anomalies, and ask the user to prove that he is the right user.
Are all identity security platforms equal? How do I determine that this identity secure platform presented to me is the right one for my organisation?
Jeffrey Kok: Organisations need to understand their needs. Most Identity Security Platforms are usually modern, a lot of them are born in the cloud with many capabilities, they need to consider:
- How is it going to reduce risks?
- How is it going to improve operational efficiency?
- How is it going to streamline our compliance and audit efforts?
For a CISO looking at identity security platforms, what should that executive bear in mind as it relates to an organisation's overall security strategy?
Jeffrey Kok: He should look at how would this identity security platform help to protect his identity and privileged users and ask these questions.
- How is it improving the protection of identities?
- How is it reducing the risks when it is fully adopted?
- How would it help the organisation to meet its business objectives?
- How will it help the organisation be more resilient against cyber threats?
“An effective identity security program should be able to reduce risks in these areas effectively,” he concluded.
Click on the PodChat player and listen to Kok elaborate on identity security fundamentals.
- What is identity security?
- IT security has been around for decades, why is the term “identity security” only been more pronounced in recent years?
- Where does “identity security” sit in an organisation’s overall security strategy?
- For an organisation that already has an identity access management solution in place, does that mean the company has covered “identity security”?
- What is a best practice for determining if an organisation’s existing IAM approach fails to meet the fundamentals that “identity security” promise?
- Are all identity security platforms equal? How do I determine if a platform is suitable for my business?
- What should be top of mind for the CISO looking at identity security solutions as part of the company’s overall security strategy?