In last week’s post, we looked back at the merging of Identity and Security in 2022, representing the shift that we learned about the threat landscape and the role of identity as the key to access in the cloud-first modern working environment.
But what does 2023 hold for us?
As issues of identity and access security take a more prominent role in organizations’ list of priorities and budgets, we are curious about how security leaders are approaching this challenge — both from their own perspective and in how they present their needs to their decision makers.
Our questions to them were:
- What are the biggest changes in the security landscape (pertaining to identity and access) over the past year and how do they impact your priorities/thinking for 2023?
- What is the most critical point about identity and access security that you want your boards/leadership to understand, and how does it impact your “ask” from them?
Hearing back from this collection of CISOs, they had a lot to say on the matter. And while everyone brought their own set of challenges and angles to the table, there were a couple of common threads and themes that carried among them. And most are pretty much what security professionals would expect from their experienced colleagues.
Main themes touched on topics like, the transition to the cloud, identity moving under security, and the need to bring visibility over identity into the centralized security stack with automation that can help to handle the growing workload.
To get a better sense of what these CISOs are getting at, let’s break down some of these themes.
Visibility and Control Over Identities and Access
In the move to the cloud, security teams and their organizations are still very much playing catch up when it comes to really understanding what is going on with their identities.
CISO At Wave BL Yigal Elefant
“During 2022 even traditional industries such as banking got official approval to move things to the cloud,” says Wave BL’s CISO Yigal Elefant on the impact of the rapid transition to the cloud. “SaaS systems are now a mature solution in the industry, constantly growing, each managing authorization differently. Some have in depth permission management that requires learning and staying up to date, others just share everything to whomever has access.”
This results in a mismatch of services that have vastly different levels of visibility and control. As Elefant says, highlighting the risk that is generated from this situation, “I already saw a company share a document with a third party, unknowingly giving the 3rd party access to confidential management information.”
This lack of visibility and clarity across systems makes it exceedingly difficult to detect threats as Fiverr’s VP of Business Technologies Gai Hanochi notes of his concern for challenges in catching “abnormal user behavior in regards to data and privilege rights.”
In communicating this challenge to decision makers, Hanochi puts it succinctly when he writes that:
Access = knowledge
Not controlling it = knowledge leakage
If we want the ability to control this knowledge, then we need to first understand what the access is by mapping it out, and then get to work on limiting that access, says Moty Jacob, CEO at SURF Security.
But getting to this point means putting Identity at the center as a security issue and getting the board, well, on board.
Identity is Security
Much of the ongoing work for these CISOs centers around the need to frankly change how organizations view the issue of identity. In practice, this means changing it from an IT responsibility to one that is a core element of the security strategy.
Transformation Advisor At AWS Declan Morris
“IAM belongs in Security and not IT,” says Declan Morris who currently advises Private Equity firms on AWS Transformation and formerly served as the CIO of Splunk, explaining that, “The centralized IAM model is broken and there is a misunderstanding or a mischaracterization of IAM, mainly by those that solve for identity.”
“Unfortunately,” continues Morris, “There are those security leaders that believe they have solved for IAM when they have only tackled the “I” in IAM. As corp IT continues to be absorbed into the business due to the accelerated adoption of SaaS, an intelligent IAM becomes an absolute necessity.”
And given the ever-rising scale of data, identities with access to that data, organizations are going to face a lot more difficulty very soon.
Automation is a Necessity for the Future
“If boards are struggling with IAS/IAM, they need to brace themselves for the onslaught of no-code/low-code,” says Morris, adding that, “Data lakes are slowly gaining ground as organizations start to strategize on how they tap into this raw material. For the most part, technology is no longer the differentiator thanks to SaaS. The data becomes the differentiator in terms of who has access to it and what they do with it.”
“Who is keeping tabs of that?” he asks.
For Morris, and all of the other CISOs, the answer lies in automating as much of IAM security as possible to make it a manageable business process.
“For decision makers, IAM needs to be a self-service/auto discovery model that brings both the business and security together under a common shared objective of safeguarding customers without placing artificial constraints on the business,” he says.
Morris is seconded by Elefant who explains that, “Management of multiple systems cannot be performed manually. Automation must be utilized to prevent unauthorized access and unintended leak of data.”
While this is all true, we still need to account for the human element.
Education and Focus on Least Privilege
Along with the technical solutions, education and enforcement of best practices will still play significant roles in making 2023 a more secure year.
“As an advisor to PE-backed firms, the most important aspect surrounding IAS/IAM is addressing the lack of education,” says Morris, noting how, “The security industry could do a much better job in demystifying the underlying risks related to a highly mobile workforce in a highly decentralized compute landscape.”
The answer here, along with adopting advanced tools for gaining full visibility and control over identities and access like Identity Threat Detection and Response (ITDR) platforms, starts with the basics of good security hygiene.
Former VP & CISO at ServiceNow Yuval Cohen
“Focus on reducing the access to the minimal possible i.e., people and services have access only to what they need at the time they need it,” says Yuval Cohen, former VP & CISO at ServiceNow, adding that, “Full leadership cooperation is required to support access constraints that can impact day to day life.”
For more information about how to tackle these challenges in 2023 and beyond, we invite you to learn more about ITDR from one of our many articles explaining how it can secure you against your IAM risks.