Eric Avigdor | Director of Product Management
Over the past 18 months, business models, operating procedures and interaction with customers has changed significantly. Accelerated cloud migration and work from anywhere trends have changed the security landscape. Identity and access management has become the cornerstone of security policies and practices to provide employees, partners, and customers with a secure way to access data, applications and systems required to remain productive. The increased importance of identities attracted cyber criminals who increasingly targeted these lucrative assets.
A recent survey by the Identity Defined Security Alliance (IDSA) questioned 500 identity and security professionals and examines the impact that these events have had on identity and access management in the enterprise and the implementation of identity-focused security strategies.
Key findings
In a densely interconnected world, where people are accessing corporate resources from anywhere – office, home, mobile devices – and machines such as IoT devices, containers and microservices interact with millions of other machines, the volume of identities owned by an organization has skyrocketed. The report indicates that 83% of the organizations have experienced an increase of human and machine identities.
With identity serving as the connective tissue between systems, services, and a distributed workforce, businesses were forced to evolve their security strategies and practices and focus more on protecting these credentials. Even though 80% of the respondents have evolved their policies to secure identities, the level of confidence to secure these identities, especially the ones for remote employees, dropped from 49% to just 32% in the past year.
This low confidence in identity security comes as a warning sign for organizations to invest more in identity-related security outcomes. At least 70% of the survey respondents report that this is a work in progress for the past two years, while 97% state that they plan to invest more in the next two years. This increased attention in protecting identities is expected to further mitigate security threats and breaches, as 93% of the security professionals have reported.
Identity management is about security
Traditionally, identity and access management (IAM) were about defining access roles and privileges to grant access to assets and data. As identities – both human and machine – became more and more prevalent and important, their compromise and the exploitation of weaknesses in IAM controls give adversaries the opportunity to pivot and move undetected into corporate networks. Increasingly, identity management is now about corporate security, as it is confirmed by 90% of the survey respondents.
The Verizon 2021 Data Breach Investigations Report (DBIR) indicates just that - 61% of data breaches involved some sort of credentials. The IDSA survey respondents also reported similar experiences – 79% have suffered from identity-related breaches.
IAM is a strategic choice
The growing awareness of the importance of identity in enabling and securing everything from DevOps to dispersed connected IoT devices to remote workers has led many organizations to change how the perceive IAM processes. These processes are now aligned with enterprise-wide security strategy and policies in an effort to reduce the overall risk to business.
This shift in strategy is demonstrated by the ownership if IAM. 87% of companies report their CISO has an ownership and leadership role with IAM, while 45% of CISOs own both strategy and implementation for overall identity and access management initiatives.
Organizations where the CISO has greater ownership of identity and access management have progressed toward fully implementing identity-related security outcomes. Step-up authentication based on risk assessment, implementation of Least Privilege principle and widespread use of MFA are characteristics of an organization with a mature IAM strategy. These businesses leverage user behavior to step up authentication, building more confidence on employee identity protection.
Viewing IAM as a strategic choice is foundational for achieving another strategic goal: Zero Trust security. Zero Trust security model is centered on the belief that organizations should not automatically trust anything inside or outside their control and must actively verify the identity of everything – human or machine – requesting to connect to its systems before granting access. 93% of surveyed IT security experts agree that Zero Trust is strategic to securing their organizations, while nearly all (97%) agree that identity is a foundational component of a Zero Trust security model. This finding suggests that forward-thinking organizations believe they should not implement a Zero Trust architecture without focusing on effective identity and access management.
Conclusion
In a highly interconnected world, identity has become the new security perimeter. Businesses need to protect the identities of all entities – human and non-human – requesting access to their data and systems. This is crucial for securing their digital transformation initiatives. With no central Identity Access Management (IAM) strategy, businesses of all sizes lose precious security and productivity.
Thales offers a portfolio of IAM solutions which enable secure cloud adoption in the enterprise through several key functionalities:
- Simplified cloud access with cloud single sign on (cloud SSO)
- Optimized security with granular access policies
- Scalability enabled by centralized management
- Improved compliance through visibility into cloud access events
Learn more about how Thales can help your business secure identities.