Why we need to consolidate digital identity management before zero trust
The concept of zero trust has been around for almost two decades, but it is only recently that the security model has taken hold and is now one of the hottest trends in cybersecurity. A report from Microsoft found that 90% of security decision makers are now familiar with the concept, up from 20% just a year ago. But adoption remains a challenge as organizations rethink the way they handle identity management.
This rise in popularity is undoubtedly linked to both the growth of enterprise cloud computing and the rise of remote working. Employees are now expected to be able to access their organization’s data from a range of devices, locations and geographies.
Zero Trust is only a piece of the cake
Building a zero-trust architecture requires organizations to identify a so-called âprotective surface,â made up of their most important data, assets, applications, and services. A microperimeter is then deployed around the protective surface, forcing users to authenticate each time they pass through it.
Identity and Access Management (IAM) is in many ways the cornerstone of the zero trust architecture. However, thanks to a combination of existing systems, many organizations have complex digital identity structures, with one tool for provisioning and de-provisioning, another for multi-factor authentication (MFA), another for single sign-on. and a fourth for fast smart cards. Authorized access.
Forward-thinking organizations should strive to reduce their overall attack surface by consolidating these structures. Their ultimate goal should be a decentralized identity infrastructure that will allow different organizational systems to accurately match a single user identity.
Such a system would provision, deprovision, instantly and automatically modify access rights, and accurately report on all users in an organization’s digital continuum. It would be supported by robust policies and access rules, as well as modern MFA methods.
Fragmented digital identities pose a security risk
Digital identity – originally a set of technologies designed for industries that process highly sensitive data, such as financial services, government, and the military – is now crucial to how we interact with devices in the world. our personal and professional life. Nowadays, you can log into your online banking using biometrics, access your email with SMS verification, and enter your workplace by swiping an RFID key card. And that’s all before 9 a.m.
Within organizations, the large number of digital identities associated with employees has now in itself become a threat. Having multiple digital identities for each individual multiplies the attack surface for organizations, putting them at greater risk of financial damage and data loss in the event of a breach. This turn of events is somewhat ironic given that the original purpose of these technologies was to improve safety.
Consider the colonial pipeline attack earlier this year. The attackers reportedly entered the organization’s systems through an employee’s VPN account that was no longer in use but still active. The employee in question had used the same password several times, and thanks to a completely independent leak, the password in question was part of a lot for sale on the Dark Web.
Looking back – which is admittedly still 20/20 – if automatic account deprovisioning had been in place or a corporate single sign-on solution deployed, it looks like one of the most dangerous attacks in the history of United States could have been avoided. If that’s not a reason to favor strong digital identity management, then I don’t know what it is!
Amid a growing number of cyber attacks, it’s hard to overstate the scale of the digital identity challenges organizations currently face. Of course, the immediate priority for IT managers should be securing systems, data and users right now. At the same time, however, the case for establishing a more effective digital identity paradigm is clear. This would include a holistic solution for digital identity management and governance, the ability to manage identity governance, authentication verification and assurance, and simple, password-less user access and authentication. past. This setup should be the end goal for most businesses.