Security at the point of entry: The future of identity and access management

Identity is a key battleground in cyber security. As the number of endpoints grow, and people adopt the practice of working-from-anywhere, security teams are evolving their approach. The profession is moving away from a system based on ‘moats and castles’ towards one focused on zero trust. This means verifying everyone’s identity before they can gain access – to anything.

We have been moving towards this place for a while. There is more collaboration between people and companies. Suppliers of technology and services gain temporary access to critical systems and machines are configured to perform automated tasks. The increase in cloud technology has also created the need to control data outside applications and raise questions over shared responsibility for security.

Ultimately, these trends have increased the complexity of cyber security and demanded new ways of controlling access to data. During a recent Digital Identity Roundtable with Protiviti & SailPoint– The future of identity access management: how companies are maturing their security programs – Mark Oldroyd, senior partner technical enablement manager at SailPoint and webinar co-host, explained more.

Blessing and a curse: the growth of cloud

The growth of cloud technology has been the dominant trend in IT services for the past decade. In 14 years, Amazon Web Services has grown into a $35bn organisation. Competitors including Google Cloud Platform and Microsoft Azure, followed closely by Alibaba Cloud, have created an elite group of providers. According to Mark’s presentation, 78 per cent of companies are now using two or more of these platforms; a very significant 88 per cent are moving in that direction.

“Having multiple platforms and spreading workloads gives the ultimate in reliability, and disaster recovery,” said Mark. “Companies often choose the best platform: if it is a Microsoft application, then chances are that it runs more effectively on Azure hosted services, for example. But sometimes they don’t get a choice. They may be forced to add new platforms because some technology only runs in specific environments.”

While cloud technology creates enormous opportunity for companies, multiple platforms can amplify the challenge for security professionals. There is limited visibility and compliance oversight of how they are accessed, he explained; a lack of alerts in the face of what he called ‘inappropriate access’; inconsistent management of access on each platform; too much ‘excessive, stale and non-compliant access’ and privileged access that is inadequately managed. That’s quite a list.

“Typically, we end up with a silo of supporting processes and technology for each of these,” said Mark. “Quite often, the Azure assets are managed by the Windows team, for example. They manage the controls, the user account creation and access provision. If an organisation is also using Google Cloud Platform or Amazon Web Services, you typically find these are owned and managed by different areas of IT.

“These things make effectively governing identities very difficult in these environments. A further complexity is the way these products control access: using advanced, real-time, code-based policies, which make it easier to expose them. For anyone that has read up on the Capital One breach – that is exactly what happened.”

In the summer of 2019, Paige Thompson, a software engineer in Seattle, gained entry to one of the bank’s cloud servers and stole data for 100 million customers. According to a report in the New York Times, the court papers revealed she stole 140,000 social security numbers and 80,000 bank account numbers in the breach. This was in addition to tens of millions of credit card applications.

Capital One, which is one of the largest issuers of credit cards in the US, had been using Amazon Web Services to store information. It had built its own web applications on top of Amazon’s cloud data, to tailor the application for its own use. But the hacker had been able to gain access to the data through a ‘misconfigured’ firewall on a web application.

The attack marks a growing trend in cyber security of groups targeting supply chains and cloud technology providers. According to an article in the Financial Times, Chinese hackers launched a sustained attack in 2017 on cloud service providers, aimed at compromising companies in 15 countries, including the UK. In the article, cyber security company Symantec said it had seen a 200 per cent increase in ‘supply chain attacks’, year on year.

From confusion to clarity

As a result of mounting security concerns, the cloud has given rise to a lot of new technology designed to help companies protect this evolving world. These include cloud workload platforms, which can monitor user behaviour; cloud security access brokers, which can detect misuse of access; and cloud security posture management tools, which can help identify vulnerabilities and threats. Mark said, however, that some of these tools had the potential to create confusion.

“What a lot of these point solutions are missing is that element of identity,” he said. “Hopefully, everyone has an understanding of the value that can add to your security infrastructure: a basic understanding of users, the accounts they use and the activities they are performing; and linking that back to the business context. That is the only way we can start making decisions about what is appropriate.”

Mark outlined an approach that companies could adopt to help them better manage cloud access. The first step on the road was discovery. This would allow security leaders to understand what access users have, validate these policies and outline what they can do in specific environments. The second step is about protecting cloud environments by using access reviews and policy enforcements; and the third step involves governance. “This is where we start to automate as much of the manual effort as possible,” said Mark, “while all the time paying attention to sensitive data in these environments.”

Roland Carandang, managing director at Protiviti, and webinar co-host, added: “I talk to a lot of chief information security officers about their security strategies and they accept that incidents are inevitable. The pursuit of 100 per cent security is nearly impossible. What we are seeing here – in this presentation – is effectively building a defensible approach to an unsolvable challenge.”

Design thinking: tackling the future of identity and access management

During the second half of the webinar, attendees were invited into one of two design thinking breakout rooms, to further explore identity and access. Belton Flournoy, director at Protiviti and webinar co-host, explained that design thinking was a way of driving innovation across organisations. It has been incorporated into business schools across the world and the Dyson vacuum cleaner is an example of a product developed in this way, he added.

Design thinking stresses the importance of making sure we are first tackling the right problem, before attempting to address the solution – both using various forms of divergent and convergent approaches. It invites multiple viewpoints and perspectives, so that more ideas can be developed before a solution is brought together. Instead of talking through one idea at a time, tens of ideas can be generated in minutes; and everyone can take part through the use of post-it notes, or increasingly using online, collaborative technologies, such as Mural..

In the context of identity and access management, participants were asked to identify ‘roses’, things they liked, ‘thorns’, things they didn’t like and ‘buds’, opportunities that were untapped. They shared their views on topics including: the right mix of cloud and identity access management; non-human accounts; identity analytics; the hybrid of cloud and ‘on premise’; and multi-factor authentication. Roland explained more about the findings.

“I’ll use a martial arts analogy,” he said, reading through the feedback. “Like kick boxing, we’ve got the ‘hard’ martial arts: forcing things through; and the softer martial arts, such as Tai Chi. We need to force, for example, people to comply with our ‘on boarding’ processes, while at the same time working with the cloud team to provide a base level of controls.

“As we see more and more data and analytics services becoming accessible, this will allow teams to experiment with things that can be piloted, such as Microsoft Power Automate,” he added. “Engaging with users is also going to be important for any initiative that we put forward. By working with them more closely, we are going to be partnering with them for on boarding and training, and that can only be a good thing.”

Belton added: “We have done that with our team, where we have done a 30-minute session each week. It started off as a way to share knowledge, but now someone does a bit of research on a new topic each week and I have started to learn more than I ever have in my career on a continual basis—in a short 30 minutes. That is interesting trend; just to have teams continually skilling up.”

Roland also focused on one piece of feedback, which suggested using non-classical identity software to help companies scale. “A lot of people are talking about the challenges of on boarding, but your SIEM (Security information and event management) team will have faced very similar challenges. Yet, we don’t often engage with them about how they overcome them.”

One of the session attendees singled out the tricky mix between analytics and governance. “To what extent do you look at governance first or analytics first? That is an interesting one; you can wrap yourself up in knots with the operations around governance. It’s an interesting balance to find,” he said. Mark from SailPoint added: “We are seeing a move away from governance as a thing. We are moving towards identity-driven security, using the analytics in support.”

Another attendee commented about how the balance of cloud or ‘on premise’ technology was a big question. “A lot of businesses have on premise at the moment and migrations to cloud,” he said. “Is it about a hybrid mix, or is it best in the cloud, because it’s creating challenges, some of which are unknown? It’s a real juggling ball decision – one or the other, or a bit of both.”

It’s clear that the challenges faced by security leaders are multiple. While the solutions aren’t always easy, new ways of approaching the problem can start to unlock new thinking and approaches. This means the technology tail can stop wagging the business dog – and it can be used better in service of business goals.

By working alongside technology providers and others in the profession, it becomes possible to take control of security and identity and manage an ever-changing situation. One hundred per cent security might be impossible, but creating a defensible approach to it, is not only possible, but sensible.