Several CISOs I’ve spoken to over the past few years agree that identity is a new security perimeter. The thought here is that a combination of mobile device and cloud use renders existing network perimeters obsolete, so security policy enforcement decisions must be driven by identity attributes (i.e. user identity, role, device identity, location, etc.) rather than IP packet attributes. We see this transition coming to fruition with the concept of a software-defined perimeter (SDP) and technologies such as Google BeyondCorp and Vidder PrecisionAccess.
Yup, this makes sense. Armed with identity attributes, organizations can make intelligent network access decisions on who gets access to which IT assets regardless of their location. Unfortunately, there is a big problem here. The IAM infrastructure was built organically over the last 10-15 years so it depends upon a morass of disconnected and fragile elements. This situation greatly impacts security.
In a recent research project focused on IAM, ESG surveyed 335 IT and cybersecurity professionals working at North American-based enterprise organizations (i.e. more than 1,000 employees). Survey respondents were asked to identify their organizations’ biggest challenges with regard to IAM and security. The data reveals that:
- 27% of IT and cybersecurity professionals say that users are not practicing safe computing and do things like choose easy passwords or use the same password multiple times. This leaves users susceptible to credentials theft, and organizations open to security breaches.
- 27% of IT and cybersecurity professionals say that their organizations still rely on user names and passwords for most authentication actions. This makes the identity perimeter quite vulnerable, as it is built on an extremely tenuous foundation.
- 25% of IT and cybersecurity professionals say that their organizations have multiple identity repositories, so it is difficult to get a complete understanding of user and access privileges. This is a common IT problem — data is spread across the network in different formats and data stores that were added individually over time. This is precisely why many enterprises rely on meta-directories or IAM tools to get their arms around this situation. Even IT leader Google admits that collecting real-time IAM information is one of the biggest challenges in its BeyondCorp SDP.
- 23% of IT and cybersecurity professionals say that their IAM infrastructure was really built for user convenience and not strong security. Not a surprise, since IAM is mostly the domain of IT operations and application developers rather than security pros.
- 23% of IT and cybersecurity professionals say that senior management has not put enough emphasis on improving IAM for security purposes, so the security team is forced to work within the limitations of the existing IAM infrastructure.
In my humble opinion, this last bullet is a big part of the problem. Identity may be a new security perimeter, but many organizations continue to throw security dollars at networks and hosts while treating IAM as basic IT infrastructure. This is mismatch if there ever was one.
CIOs may not want to hear this, but it’s time to think about a 2 to 3-year project to overhaul their entire IAM infrastructure. This effort should include moving to multi-factor authentication, consolidating identity repositories, and bridging on premise and cloud-based IAM technologies. I get it, this won’t be easy, but successful efforts will result in improved security, streamlined operations, and greater business flexibility.