In today’s era of distributed and digital actors, the traditional network perimeter by itself is no longer enough to protect company resources and services.
This has led to identity and access management (IAM) stepping to the frontline, underpinning the entire Zero Trust proposition to defend against an evolving landscape of cyber threats. When security revolves around trust, being able to reliably identify users and other actors becomes essential.
Despite this, over 82% of data breaches and ransomware attacks involve compromised credentials[1], highlighting how much work there is still to do for organisations to reinforce their identity posture.
Worse, 97% of enterprises rely on legacy or hybrid IAM infrastructure[2]. Attackers target these older systems—that can’t offer the same levels of authentication and protection as the more robust modern authentication channels—because it’s easier, effectively bypassing up to date cloud security by gaining an entry point on the less protected legacy estate.
The identity paradox: Security versus usability
Many of the tools used to prevent unauthorised access—conditional access, network restrictions or multifactor authentication (MFA) for example—create a degree of “friction” for users.
While these measures can be shown to increase overall security, making them onerous to use[3], this creates excessive friction that drives users elsewhere and often to embrace shadow IT.
Worst of all, if these controls are not simple to operate, they will be avoided, short cuts will be taken, and the protections offered will dwindle over time because they are not consistently and reliably employed.
Prioritising a user-centric approach
Applying the lessons learned from our long tenure in identity management, ITC believes that a more user-centric approach to IAM design can be achieved by balancing security, identity and enablement to produce the best protection available.
As every organisation is individual, there isn’t a simple list of rules to achieve this balance. Taking a risk-based approach and placing more or less friction based on the user, their context, and their actions allows us to design more appropriate control points relative to the risk involved. The office-based user checking a company news portal from their company desktop shouldn’t need the same scrutiny and friction as the holidaying administrator attempting to elevate to global admin from their beachside cyber café.
Taking the time to work with users, understand what they are trying to achieve and how they do this, gives a more user-centric IAM design and accompanying policies. These can be consistent, intuitive and user-friendly enough to bring our users with us and foster a culture of security awareness and engagement that makes it far harder for attackers to gain and keep a toehold.
Embracing modern authentication methods
Fortunately, the cloud era has also brought with it modern authentication methods that provide a significant barrier to attackers. Used in the right way, MFA[4] can prevent over 99% of attacks.
MFA in conjunction with other authentication methods (such as biometrics, single sign-on and passwordless authentication) combine with other security technologies (such as conditional access and privileged identity management [PIM]) to offer compelling solutions to security.
This not only provides a more seamless user experience, but it also allows a more nuanced and real-time application of policy and profile: eliminating the need for complex passwords (or passwords in their entirety) simplifies logins; the risk of credential-based attacks is reduced; and users always have the least possible privilege for their current activity, but are empowered to step up to higher permissions as they need them with minimal disruption to their workflow.
The ITC and Silverfort partnership: Protecting the unprotectable
One feature of legacy authentication is that it tends to grant “static” access: the user logs in and is provided an access ticket that is retained for a period of time without review. While this was perfectly adequate in the past, when a defined perimeter was the primary line of defence, this now stands in stark relief against the more dynamic real-time capabilities offered by modern authentication.
As a leading advisory-led cyber security services provider, we recently formed a strategic partnership with Silverfort, a pioneering platform in modern identity protection.
This platform allows modern cloud authentication to be applied in real time to on-premises services and service accounts, dramatically improving visibility of exactly who (or what) is accessing which resources and how they are doing this.
In addition, Silverfort allows modern authentication to be brought into the legacy environment, integrating with existing MFA infrastructure and applying real-time conditional access to ensure coverage of all activity that requires authentication (remote desktop, file share access and remote PowerShell for example)—all without changing applications or deploying complex agents across your infrastructure.
Identity: Made from Edge-Cases
Our approach to IAM recognises that every organisation’s identity solution will be as individual as the people working within it. As such, there is no “magic bullet” solution or product that will fix all organisations’ security and identity challenges. And even the obvious solutions, like deploying MFA, will require some nuance before being of real benefit.
ITC meets this challenge with our identity maturity assessment. Working closely with stakeholders inside your organisation to understand your current identity landscape, needs and direction of travel, we build tailored, modular and multi-phased road maps for improvement. The assessment will align with your business objectives and deliver real-world benefits sooner than more traditional “monolithic” projects that might not offer any results for months or even years.
Find out how we can help you strike the right balance between seamless security and exceptional user experience with our approach to IAM: https://itcsecure.com/wp-content/uploads/2023/11/ITC-Identity-and-Access-Management.pdf
[1] Verizon Data Breach Investigations Report, 2022
[2] Gartner, 2022
[3] And because we’re all human – to setup and administer.
