IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
The post-pandemic workforce requires secure IAM capabilities
Thu, 26th May 2022
FYI, this story is more than a year old

The business landscape continues to evolve rapidly, and with that, the risks of those businesses are changing. Whether it be zero-day threats evading traditional defences, the impact of digitalisation on productivity and skills, or the growth of remote work, it is clear that a holistic approach is required for securing identities to access critical assets, facilities, and infrastructure.

The COVID-19 pandemic caused an upheaval in the way we work and interact within the workspace and beyond. A recent study by Frost - Sullivan details that organisations will not revert to pre-pandemic operating models. Remote and hybrid work seems destined to stay for the long term.

This being the case, organisations and service providers will need to put controls and protections in place to ensure assets are secured, regardless of an employee's location.

A key driver of these changes is the cloud, with businesses increasingly recognising its role in any technology architecture. However, as more organisations move towards the cloud, the organisation's risk posture evolves.

Many companies have experienced a dramatic shift from the global pandemic in how they conduct business, which industry experts consider a mass acceleration of change. Plans for technology rollouts that were made to occur over a 3-to-5-year timeframe have been deployed almost overnight.

Changes in the work environment expanded the network perimeter significantly – or rendered it inert in some areas. The old network perimeter was built around on-site users, endpoints, servers, and software. In comparison, the new perimeter encompasses remote offices and employees, new cloud-based enterprise apps, and a growing array of devices underpinned by hybrid cloud architecture.

Further, the extended workforce, including partners, vendors, contractors, and others that aren't directly employed by an organisation, can exacerbate these challenges.

So how do organisations move to the cloud while maintaining a secure foundation along the journey? If a security chain is only as strong as the weakest link, the question really is, are you willing to look for and remediate the weakest link? Otherwise, you must be prepared to take the risk of having the weakest link exposed.

Often that weakest link is related to identity, which is the predominant attack vector of choice for bad actors. Users with excessive privileges and dormant accounts are ripe targets to perpetrate an offensive action against an organisation.

IAM is a key element of a zero trust strategy designed to help address the constantly changing nature of attacks. The basis of zero trust is to never trust, always verify. This framework requires all users to be authenticated, authorised and validated before being granted access to networks and applications, sometimes with additional corroboration needed as conditions change.

The biggest challenge with zero trust is putting it into practice. That is, identifying the ways of implementing the relevant zero trust technologies to implement a continuous regime for monitoring systems, policies, and responses to always verify identities and secure access.

As organisations look toward zero trust, they will need to identify the workflows, business processes, and how users initiate and interact with those flows. From there, it is necessary to identify risks and map proper controls to help secure the organisation.

As such, it is vital to consider users' experiences in mind throughout the planning and implementation process. Friction between an employee and a company's vital systems can lead to compromised security – whether from carelessness, frustration or malicious behaviour.

Lastly, it is imperative to have a functional and intuitive audit and reporting capabilities to ensure the organisation doesn't amass "security debt"- the painful legacy of obsolete and partially integrated systems - and simplify compliance reporting when needed.

Zero trust priorities vary by industry, so it's important to explore what certain implementation sequences or tools mean for a company's risk profile. For example, implementing identity-centric and least-privileged access control may have the greatest benefit over micro-segmenting networks or enforcing zero trust network access across managed and non-managed devices.

Given the complexity of managing identities in globally distributed companies, it's not surprising that zero trust is a somewhat elusive goal.

Laying out an incremental, phased roadmap that considers the risks posed to your organisation is a great step. Also, partnering with vendors that can help in that journey, be it bridging current technology into the future or addressing multiple needs at once, can dramatically simplify your journey.

This planning and design process is crucial. Gartner predicts that 30 per cent of large organisations will have publicly shared environmental, social and governance (ESG) goals focused on cybersecurity by 2026, up from less than 2 per cent in 2021.

The final goal is better security, but companies everywhere are looking to drive better business outcomes. Identity and access management planning and governance is a step along that path.