In the famous words of David Byrne, there is no time for “dancing, or lovey dovey” when it comes to security. In a world where technology is constantly evolving, it is important to always stay on top of protecting confidential and sensitive information. The standard go-to for security within organisations is the account-based approach; however, this exposes the issue with specialised IT resources being so heavily involved in identity and account administration.
The way accounts are secured varies across sectors and companies; some believe securing the perimeter is vital, while others rely on encryption and data protection or zero trust access with controls. Ultimately, identity is the core of security – making sure that the right people have the right access to the right resources in the right ways at the right time. For this reason, organisations should be moving away from account-based administration of network resources to an approach that uses identities to strengthen cybersecurity and allow adherence to Zero Trust principles.
Authentication – This is all about ensuring the identity of the person or non-human (e.g. a bot) logging onto a system. Every application or system, whether it’s on-prem or cloud based, includes a type of authentication, the most common being a username and password. Most organisations will use Microsoft Active Directory (AD) and Azure Active Directory (AAD) for authentication, or they might augment a majority of the workload with technologies to unify the logins. While authentication is a vital step toward identity-based security – it is not adequate on its own.
Authorisation – Authorisation focuses on the parameters surrounding user permissions once they have been authenticated. This can be influenced by several variables including file and application permission and sharing and finely defined access rules based on role, location and circumstance. Unfortunately, this is often where security gaps are created. Users can potentially be awarded the wrong rights, while others can forget to terminate the rights they no longer need, which gives threat actors an opportunity to exploit a weakness. To avoid this, a Zero Trust security model should be implemented in which no user receives unnecessary or out-of-date permissions.
Administration – This ensures that authentication and authorisation are completed correctly. In order to achieve this there are many managerial tasks that must be performed on the account, ranging from requesting access to fulfilling a specific request and then terminating this access when it is no longer needed (this is also called provisioning). This process encompasses role management to assign the right people to the right authorisation for the right reasons. From a Zero-Trust standpoint, this step is essential to issue the necessary permissions at the right time and terminate them when they are no longer needed.
Audit – The last and, arguably, most important step is also often called governance. This proves that all prior steps are completed to an adequate standard of security, and it can be proven. Occasionally it also ensures that the correct privacy regulations are complied with and that any best practice frameworks have been followed.
The fact is that the job of IT professionals is to keep the systems running and users productive, though, unfortunately, they often become involved in the day-to-day use of specific applications by a specific user due to using an account based approach to security. This is because IT employees have the most knowledge when it comes to making the correct authorisation decisions, therefore the administrative responsibilities often fall on them as opposed to the line-of-business where it should be. They turn into a sort of ‘help desk’, while their normal tasks, including critical IT initiatives, are often left unfinished. When using an account-based approach, the decisions surrounding access and permissions fall to IT, specifically because they default to the resource in control of a specific account on a specific application. To avoid this, organisations should attempt to shift from a disjointed account-based strategy to a unified identity-centric approach by using a unified identity security platform. This reduces complexity, streamlines operations, empowers security teams and enables governance, while the IT teams are left out of the mundane tasks.
Identity-based security can be achieved by approaching it similarly to Maslow’s pyramid of hierarchical needs; there are certain steps that must be completed before moving forward. Access is the foundation for everything – if users can’t access the system, the rest of the process can’t begin. This is followed by making sure everything is done securely and adding certain controls, such as policies, standards, guidelines and procedures, which influence and improve the security of the system. Then comes management, which is the ability to audit and report on all the lower levels of the hierarchy. And finally, governance. This step can only be realised if all other steps have been completed correctly.
So, it’s easy to see why using an account-based approach to security is bound to fail, because it focuses too heavily on maintaining the foundational levels and, therefore, cannot achieve governance. The issue of an account-based approach lies in the fact that companies often have individual employees who are capable of completing the various tasks that move them up the pyramid, without knowing why. Each level of the pyramid would need to be accomplished separately for each account. This creates a disjointed process and makes it easier for bad actors to exploit security gaps.
Therefore, rather than wasting time on granting access via accounts and securing individual systems, identity-based security gives organisations the power to achieve their business objectives much faster. This is because agility is dependent on governance, which can be realised with the identity-based approach to security. Organisations will be able to better enforce that activities are being performed correctly, with the correct authorisation, while at length, achieving governance across the entire range of systems, user populations and real-world needs.