Coping with scale and instigating change presents challenges
To combat the threat of bad actors making unauthorized use of credentials to infiltrate systems, cybersecurity leaders must revisit and shore up their processes around identity and risk management.
As cybersecurity leaders seek to appropriately respond to identity risk, challenges in gaining risk intelligence and deploying practices and solutions will arise.
Queensland Department of Education CISO, Steven Woodhouse, provides a striking example of the scale of risk and the identity challenge in education.
“In education in Queensland we have about 650,000 identities accessing systems in any one day,” he says. “There are 1370 sites across the state, and there are 100s of 1000s of devices connected every day.
“A major question I have to consider is, how do I perform quality identity management and intelligence around that? How do we get to a Zero Trust model using our identities with this kind of scale?”
The sheer number of identities that need to be managed presents a significant area of risk. Additionally, student IDs are used to sign into third-party learning resources, which widens the exposure potential further, Woodhouse says.
“If a service that students use gets breached, that’s a lot of work for us to remediate,” he says. “Changing passwords and communicating organizational change to students is disruptive. Going to multi-factor authentication can help, but it surfaces another challenge in delivering that workably for thousands of users, ranging from teenagers to very young kids.”
What’s more, challenges around risk intelligence have only been compounded by COVID-19.
“Because of this pandemic, there are 100,000 staff working from home or other locations, and the edge has now become extremely fluid,” Woodhouse says.
“Traditional security used to be that we knew where the edge was, we knew the boundaries, inside that was safe and outside of it was unsafe. Now, we don’t know where the edge is.
“If you’re working from home on your own device and connecting to our systems, even though you have a valid identity and even though we are saying that ID can only access certain resources, I still have no control over what’s happening on your device. Does it have malware on it? Has it already been compromised? All those things come up.”
Risk intelligence as it applies to identity can be a daunting proposition to uplift and mature, particularly in large organizations. Another challenge cybersecurity leaders should be conscious of when beginning the journey is how well their organizations understand and rationalize risk.
“In some highly regulated companies, every board is faced with defining the risk appetite that they have within their given industry and their competitive segment,” Ping Identity Head of APAC & Japan Ashley Diffey says.
“The vast majority of companies in this world grossly underestimate the consequences of a bad outcome because they grossly underestimate the bad outcome. Conversely, they also overestimate what their real risk appetite is.”
Victorian Security Institute president Kostas Kyrifidis says if organizations don’t have well-thought-out identity management systems and policies, they’re falling behind.
“Identity governance needs to cover intelligence gathering and thinking throughout the user and device lifecycle. Technology solutions aside, what do we know about new staff members or contractors when we bring them on board?” he says.
“What other information sources can we rely on to complement our strong policy positions? There is a lot of work that needs to be taking place between users, partners and the industry and we need to continue to push towards developing standards and approaches.”
QSuper CISO Jason Anderson says intelligence gathering doesn’t always have to come from digital analysis or security operations centers.
“A lot of the intelligence that I gather, whether it’s on identity or any other security piece, is through my informal networks,” he says. “Building strong relationships with people, other CISOs Beginning Intelligence throughout the country. Whether that’s within your own industry or other kinds of organizations, it strengthens your expertise and ability to innovate and drive change.
“There’s a couple of different schools of thought or types of people from a security leadership perspective. There are those who like to transform and those who like to run with what’s there. I fit myself into the transform category. It’s important to look for new opportunities to uplift and change the way things have been done to get better outcomes.”
Being more conscientious about risk at the organizational level will provide cybersecurity leaders with better sponsorship to improve their identity solutions. Ping Identity Head of APAC & Japan Ashley Diffey says without enough recognition around risk at the executive level, organizations will be more exposed.
“Flat-out complacency as it relates to improving identity programs is the single biggest risk facing companies today,” he says. “That’s not hyperbole when 80 to 90 percent of all breaches are executed through some usurpation of account credentials. And that percentage hasn’t changed in more than a decade of breach analyses.”
Future of Intelligent Identity Solutions
Improving identity and intelligence around identity risk invites a look at some of the kinds of innovative practices and solutions that are emerging in the identity space.
With the growing capabilities and application of machine learning, identity and access management is likely to soon benefit from this area of artificial intelligence.
Other growing trends, like context-based authentication, cloud identity and access management, insider threat management and, as mentioned, zero trust are items that repeatedly appear on identity management trends lists.
BNP Paribas’ Krishna Kasi says his vision of better identity, access and risk intelligence includes a combination of technology, processes and culture.
“The ideal future includes the zero-trust network as one part of it,” he says. “I imagine in the future we’ll also see more incorporation of biometrics in access management.
“Cloud is another interesting area that will be changing. Most large organizations have moved at least partially into the cloud. I see everyone on the cloud in the future unless in circumstances of regulatory requirements, this will present interesting challenges and opportunities in identity.
“I think security also needs to be more incorporated into operations and being treated more as a culture rather than as a feature that needs to be embedded within applications or as additional rules.”
QSuper CISO Jason Anderson says intelligence and data gathering will pave the way to bring in better solutions that get out of the user’s way.
“I really hope the future of identity is one without passwords! That’s been a massive bugbear for me. I think the panacea of identity for me is that users don’t notice you doing it,” he says.
“Getting solutions that are easy to use that work by using what we already know about users and gathering data so you don’t have to challenge them. Then building in stepped-up security based on risk.
“We need to make it so that it’s seamless for the user as well as saving cybersecurity professionals’ time. It might take a bit more time upfront to get it right, but it will be worth it.
“Certainly, the user experience can be better if we utilize technology and what we know about people instead of challenging them.”
Queensland Department of Education CISO Steven Woodhouse would like to see reliable identities established early on that stick with users and inform on authorization to all services throughout their school life and even careers.
“When a student starts with us, they get an identity created, they go through their school years with that identity, then they leave and go to university,” he says.
“Over time, they are getting identities from all over the place. Would it be possible, or even desirable, to have an identity that goes from cradle to grave? An identity that goes with you to university, and then into the workforce?
“All other identities that you create for platforms or services could be reliant on or connected to that primary ID. Not in any way that would expose associations with other services or sensitive data, but a link in some way to provide more security and certainty on the ID.
“Then, whenever users are accessing systems they are authorized to, AI would be able to recognize normal usage patterns and flag abnormal patterns.”
With new solutions that support decentralized identity, bring-your-own identity and advanced identity management and monitoring emerging, as well as a strong security incentive, the time is right for CISOs to review their strategy in this area.
Whichever models or approaches arise, BNP Paribas’ Krishna Kasi says risk intelligence needs to be built-in.
“Whenever we talk about the ideal scenario for the future, it’s difficult because the bar of the ideal is always shifting,” he says.
“But at the very least if two years down the line organizations are more risk-aware, risk-conscious, mature and incorporating security into all the functionality that deals with risk, that’s a step in the right direction.”