The continued growth of cloud-based operations and remote working has made managing identities, particularly those of privileged users, increasingly important but also increasingly complex, pushing security firms to look for ways to give businesses better management capabilities. monitoring and control.
With the average company using nearly 100 different applications and employees needing a different identity for each of them, identity management and access control must be a higher priority, says Alex Bovee, CEO and co- founder of identity and access management (IAM) provider DifesaUno.
“These companies ran out of resources and adopted tons of cloud, maybe they have some things on-premise, they have an HR directory, and now things are a little bit of a mess,” Bovee says. “And the reality is that identity is the most important asset you have in your organization, and it’s woefully unprotected.”
ConductorOne offers Access Fabric, a platform that centralizes identity information from multiple cloud platforms and across on-premise applications. The Access Fabric platform enables not only identity monitoring across the enterprise, but also the automation and control of provisioning and anomaly detection.
Understand the scale of the challenge
Consolidating identity information becomes important as the number of cloud services, on-premises applications, and HR controls increases. Consider these facts: The average company uses 98 different applications (Okta’s 2023 Businesses at Work Report); the root cause of most breaches is credential and identity theft (Verizon 2023 Data Breach Investigation Report); and the majority of identity-based breaches (67%) have a direct business impact (Identity Defined Security Alliance 2023 Trends in Identity Security Report).
Managing worker identities and access is critical to preventing breaches. Even more important for your organization’s bottom line: Identity and access management can reduce cost trade-offs when they occur. According to the data, the average cost of a breach is $4.45 million IBM report on the cost of a data breachbut companies that have implemented IAM tools have reduced those costs by an average of $180,000.
Add in the identity requirements of different cloud providers and machine identities, and the problem only grows, says Geoff Cairns, principal analyst at Forrester Research.
“IAM is more complicated [and] complex when managing in both cloud and private environments: higher overheads, more diverse operations to account for and harder to gain visibility into risks and threats, but I think this is only part of the problem,” says Cairns. “Managing IAM, and by extension privileged access, becomes more difficult given the dynamic nature of cloud identities, as well as “work anywhere” and extended enterprise workforce trends, [such as] partner [and] service providers.”
Identity visibility needed to stop breaches
The complexity of identity and access management has hampered the cybersecurity segment of the industry. Companies that experience high turnover rates, smaller companies, and those without a technical IT or information security team are less likely to have good visibility and control over identities and permissions, says Sean Heide, director of technical research at Cloud Security Alliance.
Companies that don’t have a plan or sufficient resources run the risk of misconfiguring their IAM or PAM solutions, potentially risking loss of access or outages, Heide says.
“You need to have a well-thought-out plan in place before implementing a PAM solution to ensure you are covered from any of the negative impacts mentioned above,” says Heide. “It doesn’t have to be difficult, but it will take a long time.”
In the identity and access management segment, Microsoft, Okta, Ping Identity, ForgeRock and IBM are the leading companies, while BeyondTrust, CyberArk and Delinea are the three leading companies in privileged access management (PAM), according to Gartner.
Companies should prioritize IAM and PAM, but their cloud plans should be part of their planning, because the cloud has a major impact on the final strategy, says Forrester’s Cairns.
“Customers easily fall into the trap of being driven by technology and not focusing on their own priorities and processes,” says Cairns. Instead of starting small with achievable goals, they take a “boil the ocean” approach.
Regular identity management is at the top of the list
The Cloud Security Alliance’s Top Threats Report regularly features identity issues as the top threats. In the Top Threats to Cloud Computing: Pandemic 11 Deep Dive Reportfor example, “insufficient identity, credentials, access, and key management” ranks first. Despite this, 58% of IT teams have not implemented PAM because it is too expensive, and two-thirds say any implementation would likely scale back during a downturn, according to a Keeper Security report published in December.
Companies should buck the trend and prioritize IAM and PAM, says CSA’s Heide.
“In the security industry we always say that employees are the first line of defense,” he says. “Well, as professionals we can’t help them be that defensive structure if we don’t provide them with secure authentication and authorization paths. … The most important key here is understanding the authorization levels within the company, who has access to what and potentially look at data labeling so that when the time comes, you know which role can access which file or system.”
Getting that visibility is one of the main reasons ConductorOne developed Access Fabric, Bovee says. By consolidating all identity and access data into a single data layer, companies can easily access details and set granular access controls.
“You can ask who has super admin access to my Google workspace or how they got that access and [you can see] the relationship between that permission and what resources or data people can read on different services,” Bovee says. “It really lets you understand, first of all, who has access to what, and then the permission paths [showing] how people are given that access and what that access actually allows them to do.”
And this understanding is a critical step toward protecting businesses from modern attacks, he says.