“Do more with less.” Today this mantra is echoing across corporations and organizations. There’s no denying we are in the midst of an economic downturn. In January, the World Bank predicted global GDP to hit just 1.7 percent growth, the worst since 1993 outside of recessionary periods. For many organizations, the immediate reaction is to cut costs quickly against anticipated revenue contractions. Normally one obvious place to start cutting is any large orders and projects currently in the purchasing system. While halting investments may seem like the best option, this should not be done in haste and without proper consideration.
Rather than simply arbitrarily paring back spending on infrastructure upgrades, organizations should look at difficult economic times as an opportunity to get their house in order, clear away roadblocks, like outdated IT clutter and establish a leaner, more efficient environment.
The Rapid Increase in Identity Data
Economic headwinds aside, we are in a unique time of change in IT as enterprises navigate significant trends such as ongoing customer digital transformation, continued migration to a hybrid cloud world, and the journey towards the promise of a zero trust architecture.
The intense focus on rapid digitization over the last few years has left firms with a disjointed collection of unconnected systems. Each new cloud instance or application comes with its own siloed digital identity, resulting in each employee connecting to an ever-increasing number of accounts.
Most businesses lose track of these sprawling identities, resulting in multiple overprovisioned and redundant accounts. When a company can no longer accurately define, manage and secure access to its networks, systems and resources, its ability to undertake digital transformation and cloud migration projects is severely limited. Modernization slows, inefficiencies grow, opportunities are missed and return on investments drop when momentum is lost.
Most critically in a down economy, these contractions increase the firm’s risk exposure. Poor identity management ultimately widens organizations’ attack surface, leaving ghost accounts from downsizing, and users with over-provisioned access privileges vulnerable and waiting to be exploited by threat actors.
Adversaries operate in the shadows and focus on poorly managed, decommissioned accounts or gaps in the security model to breach the system. As the worldwide economy suffers, bad actors increase their efforts to generate alternative revenue streams. The imperative is to understand that with the increasing use of the cloud, digitization and today’s mobile workforce, criminal gangs have a greater chance of breaching an organization’s security perimeter. Sophisticated new threat actors can now access high-value areas of an organization’s network and sensitive information moving between systems and taking over ever more privileged accounts.
Regaining control over digital identity management provides organizations with the compound benefits of cutting costs while boosting security. Most have complex environments suffering from years of deferred maintenance and in desperate need of clean-up. Years of frantic IT growth means that businesses have unknowingly built up a considerable amount of technical debt. Countless and potentially redundant digital identities are scattered across different environments including many costly heritage platforms on which the business depends. By establishing a more holistic and streamlined approach to identity data management, organizations can drive down business costs – ideal for firms looking to make every penny count – and better prepare themselves for future turnaround with a more efficient, responsive and secure business model.
Why is the Implementation of Zero Trust a Priority?
Zero Trust has been a topic of discussion for CISOs, CIOs, and IT professionals for some time. Most businesses recognize the importance of moving towards this model, despite not fully understanding the components and processes that make up the architecture.
A zero trust model is built on the idea that enforcing principles of least privilege, statically provisioning a user with only the minimum rights they require to access each system, minimizes the impact of an attack. Additional access a user requires to perform their job is dynamically authorized by policy engines at the time of the request, based on a rich set of user attribute data. Enhanced access is then removed when the user completes their tasks. This model eliminates the potential for an over-provisioned account to be taken over and exploited on the network.
Security teams need accurate and up-to-date user profiles to make those informed decisions. The granular user profile incorporates even non-standard identity data such as training status, risk scores, clearance levels, project assignments, and even device health. Leveraging ever broader and more complete identity profiles, security teams can be confident that the user gaining access to a crucial resource is entitled to that access at that moment and does not pose a threat.
The first challenge when starting to deploy zero trust is that it relies on access to trusted identity data, sourced from the truth, collected from across the environment, and correlated into a global profile that provides all the separate policy engines one place to access the data they need. However, due to the sprawl of identity data and the accumulation of IT debt that we discussed above, most organizations struggle to build a complete picture of each user and their access. Identity applications in the cloud and legacy systems on-prem with different structures, schemas, and protocols, are often unable to communicate with each other. John Smith in one system might not be the same John Smith as in another, and may in fact be JSMith21 in another system. Until this challenge is resolved security teams cannot confidently start to deploy zero trust to manage access in the least privileged environment and their historic security vulnerabilities will persist.
It is essential to recognize that the issue of managing identity data is getting more challenging with the digitization of IT and migration to the cloud, and is now hampering the implementation of vital security projects such as zero trust. This highlights the need for an identity data management solution that meets the security and performance demands of an organization operating in a complex, hybrid environment. The good news is that zero trust is a journey towards ever better and better security. Starting the clean-up and aggregation of user identity data on the most critical systems will start to immediately pay dividends.
The Benefits of Streamlining Identity Data
One of the most significant benefits of unifying and streamlining identity data is that it allows security teams to understand who is accessing what and how. Good identity data management ensures a consistent and secure approach throughout the organization.
An identity data fabric enables visibility into identities across hybrid systems. This approach helps organizations discover and gather identities, which can then be mapped into a single profile. Analysis, clean-up, and aggregation tools built around an identity data fabric accelerate the journey toward a more secure architecture. Security teams can avoid the risk of duplicate or redundant accounts by ensuring that each digital identity is linked to an individual machine or employee or NPE. The clean-up process introduces viability, and order and identifies disconnected ghost accounts, and provides opportunities to de-provision over-privileged accounts, filling in the gaps which threat actors once exploited.
Companies who use this time during a recession to prioritize strategic decisions will find the investment multiplied immediately, cost reduced, security-enhanced at a critical time, and stage the company for accelerated growth on the other side. Building a global user profile offers immediate cost savings by identifying and eliminating redundant licenses and accounts. This, in turn, secures the networks and reduces attack surfaces. Illustrating the benefits of combining identity clean-up, the retirement of IT debt, and proactive identity data management can be used to justify investment, ROI, and business transformation with demonstrable evidence. Beyond improving cyber resilience in the short term, this also serves as a springboard for future resilience through projects like zero trust.