Why identity is the foundation of security

Once upon a time, companies secured their valuable information by locking file cabinets and installing passwords and firewalls around databases and systems in office-based computers. Maybe they also had video cameras to monitor the premises.

Those days are long gone. Guarding the perimeter is no longer possible because there is no perimeter.

Though some information may still be hosted on in-house servers, much of it has migrated to the cloud. According to a recent Flexera survey, 84% of enterprises have a multi-cloud strategy, with public cloud adoption surpassing private cloud adoption.

Even if your data is stored on-premises, your employees are accessing it from home, or from their smartphones at conferences and the airport. Companies hire not only office-based employees, but contractors as far away as India or the Philippines. Service technicians are called in to manage IT systems that are loaded with data your competitors would love to get their hands on.

With so many people touching so many apps, databases, and systems, the only reliable way to manage security today is through identity.
That’s true not only for your own systems and apps, but for cloud-based services, whose security is managed by the software vendor. With a lack of visibility into cloud app security, you can’t manage the risk—though you can be held responsible if your data gets breached. Your only means of control is through identity management.

What is identity management?

Identity management means making sure that whoever is trying to access your information is authorized to do so at that particular time. Depending on the importance of the information, it may also mean watching them to make sure they do what they’re supposed to do, and nothing more.

Access to information should be defined according to roles. Before an employee or a contractor ever logs in, you should have pre-determined which apps and databases they can access and what they can do once they’re there, i.e., read the information only or have the ability to change or download it.

When someone logs in, before permissions kick in, you need to verify that they are who they say they are. For access to sensitive information, a username and password aren’t enough in today’s environment. You need multifactor authentication, whether you do it through tokens, text messages, software, or biometric scanning.

A user who has logged in through multifactor authentication and whose ability to access data is restricted by your identity and access management system may appear to be secured.

But what if he walks away from his computer and someone else takes over? To control for that, you should require a screen lock whenever someone leaves a device unattended.

End of story? Not at all. All sessions involving high-risk sites and databases should be monitored in real time.

This kind of monitoring is frequently confused with monitoring of the apps and databases themselves. Of course, these systems should have firewalls to keep intruders out and alerts that notify your security center if someone attempts to breach them.

But that won’t help you if someone who has been granted access decides to misbehave. Session monitoring means keeping your eyes on the person looking at your data at all times. If that person tries to do something suspicious, such as exfiltrate customer information, your security center will be notified immediately and can cut off access before a theft or a breach occurs.

Things are people, too

So far, we have been talking about managing the identity and access of people. But things can have identity, too.

Your IT department probably has service accounts set up to perform tasks within or between systems. Just like a person, these accounts may have access to sensitive information. They need to be managed and monitored while they’re in use and disabled after they’ve completed their tasks.

At first, it may sound ridiculous to monitor a service account. After all, it’s not a person who wants to steal information and sell it on the internet.

But a hacker who breaks into a service account can do that. In fact, hackers love these accounts because organizations often pay no attention to them—they appear to be machines just doing their jobs.

As the internet of things (IoT) gains traction, it’s more important than ever to manage and monitor service accounts and bots. From factory robots to smart cars and thermostats to refrigerators that order food, sensor-embedded machines are taking over a growing number of functions around the world. By 2020, the IoT market will include 20.8 billion connected things, according to Gartner.

For IT purposes, these “things” need to be treated the same as people. If they handle sensitive information a hacker would want, they need to be managed and monitored with the same vigilance that’s applied to human accounts.

As the world changes, security technology must change, too. The best systems not only provide you with state-of-the-art protection today, but are built with flexibility to adapt to the future.