Forbes: Your Identity Security Program Isn’t Working. Here’s A Blueprint To Rebuild It
April 2, 2019
Contributed by Ira Goldstein, SVP of Field Operations at Herjavec Group
Ira Goldstein is the Senior Vice President of Field Operations for Herjavec Group, accountable for business development, investments, and service advancement initiatives globally.
Iteration is safe. It’s hard to get fired for making incremental improvements. And if you’re in security, you'll probably leave or get recruited to a new role before it matters. With countless leaders falling into the trap of path dependence, specifically when it comes to managing identity — arguably the most important piece of modern cybersecurity — the only way to win is to start from zero and do it right.
What Is Path Dependence?
The concept is easy to understand. Think back to before modern modes of transportation existed. People would have traversed the natural landscape via the path of least resistance. If they were moving through a dense forest, the path of the traveler weaved in between trees to avoid potential dangers. While the path may not have been the fastest way through the forest, over many years it would be beaten into the earth and set the course for all future travelers. When future travelers began traveling by horse, the path marked by past travel was followed, as it was the only clear guide through the terrain. Over time, travel by wheeled vehicles likely marked the path deeper in the ground, until it was paved to facilitate even faster motorized vehicles. Had people sown the path again at the dawn of the motorized vehicle, it would have been drawn in a much different path — perhaps in a direct line through the forest with trees removed for ease of travel. But the travelers were path-dependent and ended up with an inefficient path of travel through the forest.
Why Is Path Dependence So Prevalent In Identity Management?
Managing your identity for access to digital assets in the corporate world began with a single credential tied to a single user. If you needed access to corporate email, you were provisioned access to an email service. As more corporate services required use of your identity to function — for authentication or granting of role-based privileges — they were centralized in a system like Active Directory or a similar directory of user identities. New services entered the corporate environment, and whenever possible they were tied into a centralized directory to provide access. Automated or administrative functions required service or privileged accounts, which were sometimes stored on local machines, on a spreadsheet or, for the most mature, in an auditable and secure system. When cloud-based or SaaS services rose to prominence, their access was often governed separately until corporate IT caught wind of them and attempted to tie them into a central authority — after sensitive data was already in the system. Unfortunately, the features to govern and audit centralized access have not kept pace with the rate of app proliferation and compliance requirements to certify appropriate access.
There Is A Cure, And It’s Widely Available – But Commonly Misused
You can approach this problem in one of two ways. Path dependence dictates that you will closely study your current state, determine the business constraints and legacy applications you will need to accommodate, and pour many hours and dollars into the development of a hackneyed system that meets your corporation’s needs. Alternatively, you can rebuild from scratch. This approach requires more business influence and negotiation skill than it does IT expertise.
There are three steps forward:
- Define your future state
- Identity your outliers
- Start your diplomatic efforts.
Define your future state: Here, all business applications tie into a central identity governance and administration system. A principle of least privilege is employed, and privileged access is a time-bound function where credentials are opaque to the user.
In practice, this means that privileged access, the crown jewel of any organization, is provided in the form of one-time-use credentials that are no longer valid after they're used. This limits the external attack surface and prevents internal misuse. Instead of the user knowing that credential, your system can automatically inject it into the session in case one-time-use credentials aren't practical.
Identify your outliers: Some business functions won’t play nicely with your future state. You should assess and mitigate risk, ideally by isolating those functions to their own bubble-wrapped environment.
Many businesses have legacy applications supporting critical business functions. Every big company has them, and the business unit often has a compelling reason why it can't update an operating system or move that function to the cloud. Segregation is key with these applications, whether through physical controls like air-gapping or logical controls like a lower threshold to trigger risk-based authentication functions.
Start your diplomatic efforts: Secure buy-in from your most influential business sponsors first, and communicate your vision effectively to win wider support for implementation.
Cost-saving arguments often resonate with lower-margin businesses, while customer success angles can help sell a vision within the modern service- or software-based enterprise. Whatever the core business is, executive buy-in will be much easier to win if identity security contributes to the bottom line instead of acting as a cost-center.
Approaching identity management as if you were starting a new enterprise from scratch means that you can ultimately save money in the long run, even though the pace of change and pain of implementation may be higher in the short term. Don’t fall victim to path dependence. Think of the number of times you’ve thought to yourself, “If only I could build from scratch,” and then do it. Take the road less traveled.
Originally posted by forbes.com