Access management must get stronger in a zero-trust world


Access management (AM) done right is the fuel for successful digital transformation. Identities and AM are core to earning customers’ trust — a must for digital-first initiatives to get a strong start and deliver revenue.

AM and identities must be granular, role-based and as just-in-time as possible. Enterprises achieving that today are seeing zero-trust security frameworks becoming instrumental in digitally-driven revenue growth. 

CISOs tell VentureBeat their cybersecurity budgets are linked more closely than ever to protecting digital transformation revenue gains. And they see working to grow digital-first revenue channels as a career growth opportunity.

Security and risk management professionals must turn AM into cybersecurity strength, and show that zero-trust frameworks are adaptive and flexible in protecting new digital customer identities. Zero trust contributes to securing every identity and validating that everyone using a system is who they say they are. Earning and growing customer trust in a zero-trust world starts with a strong AM strategy that scales as a business grows. 

Authorization, adaptive access and getting directory and identity synchronization right also become significant challenges as an organization gets larger.

Securing identities is core to digital transformation 

“Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation,” said George Kurtz, cofounder and CEO of CrowdStrike, during his company’s annual event last year. Boards of directors and the CEOs who report to them are starting to look at zero trust not purely as a risk-reduction strategy.

CIOs and CISOs tell VentureBeat that they are now including zero trust in the first phases of digital transformation projects. And getting AM right is essential for delivering excellent customer experiences that scale safely in a zero-trust world. 

“While CISOs need to continue working on translating technology and technical risk into business risk and … better deliver that risk story to their board, on the other side of the aisle, we need the board to be able to understand the true implication of cyber risk on the ultimate shareholder value and business goals,” said Lucia Milica, global resident CISO at Proofpoint.

Excel at protecting identities to make your brand more trusted 

It doesn’t take much to lose a customer’s trust forever. One thing most can’t look past is being personally victimized by having their identities compromised during a breach. Sixty-nine percent will stop buying from brands that use their data without permission. Sixty-eight percent leave if their data-handling preferences are violated, and 66% leave a brand forever if a breach puts their identity data at risk. Gen Z is by far the least forgiving of all customer segments, with 60% saying they’ll never buy again from a brand that breaches their trust. Over time, it takes a series of consistent experiences to earn customers’ trust, and just one breach to lose it. 

Joe Burton, CEO of identity verification company Telesign, has a customer-centric perspective on how access management must be strengthened in a zero-trust environment. In a recent interview, Burton told VentureBeat that while his company’s customers’ experiences vary significantly depending on their digital transformation goals, it is essential to design cybersecurity and zero trust into their workflows.

Enza Iannopollo, principal analyst at Forrester, told VentureBeat that privacy and trust have never depended more on each other, reinforcing the importance of getting AM right in a zero-trust world. As Iannopollo wrote in a recent blog post, “Companies understand that trust will be critical in the next 12 months  and more so than ever. Companies must develop a deliberate strategy to ensure they gain and safeguard trust with their customers, employees and partners.”

How access management needs to become stronger 

For 64% of enterprises, digital transformation is essential for survival. And one in five (21%) say embedding digital technologies into their current business model is necessary if they are to stay in business. 

It’s innovate-or-die time for businesses that rely on digitally driven revenue. Nine out of 10 enterprises believe their business models must evolve faster than they are evolving today, and just 11% believe their models are economically viable through 2023.

With the economic viability of many businesses on the line even before the economy’s unpredictable turbulence is factored in, it’s encouraging to see boards of directors looking at how they can make zero-trust security frameworks stronger, starting with identity. Credit CISOs when they educate their boards that cybersecurity is a business decision because it touches every aspect of a business today.

Gartner provides a helpful framework for taking a comprehensive, strategic view of the broad scope of identity access management (IAM) in large-scale enterprises. One of its most valuable aspects is its graphical representation that explains how IAM-adjacent technologies are related to four core areas. Gartner writes in the Gartner IAM Leaders’ Guide to Access Management (provided courtesy of Ping Identity) that “the bigger picture of an IAM program scope includes four main functional areas: Administration, authorization, assurance, and analytics. The AM discipline provides authorization, assurance, analytics, and administrative capabilities. It is responsible for establishing and coordinating runtime access decisions on target applications and services.”

Gartner’s structural diagram is helpful for enterprises that need to sync their zero-trust frameworks, zero-trust network access (ZTNA) infrastructure and tech stack decisions with their organization’s digital transformation initiatives.

Strengthening AM in a zero-trust world to protect new digitally driven revenue is a multifaceted challenge that will take a unique form in every enterprise. Source: Optimal IdM blog post, IAM Leader’s Guide to Access Management

CISOs tell VentureBeat that AM and its core components, including multi-factor authentication (MFA), identity and access management (IAM) and privileged access management, are quick zero-trust wins when implemented well. The key to strengthening AM in a zero-trust world is tailoring each of the following areas to best reduce the threat surfaces of an enterprise’s core business model. 

Strengthen user authentication to be continuous

MFA and single sign-on (SSO) are the two most popular forms of identity management and authentication, dominating the SaaS application and platform landscape. CISOs tell VentureBeat MFA is a quick win on zero-trust roadmaps, as they can point to measurable results to defend budgets.

Making sure MFA and SSO techniques are designed into workflows for minimal disruption to workers’ productivity is critical. The most effective implementations combine what-you-know (password or PIN code) authentication routines with what-you-are (biometric), what-you-do (behavioral biometric) or what-you-have (token) factors. MFA and SSO are the baselines that every CISO VentureBeat interviewed about their zero-trust initiatives is aiming at today — or has already accomplished. 

A crucial part of strengthening user authentication is auditing and tracking every access permission and set of credentials. Every enterprise is dealing with increased threats from outside network traffic, necessitating better continuous authentication, a core tenet of zero trust. ZTNA frameworks are being augmented with IAM and AM systems that can verify every user’s identity as they access any resource, and alert teams to revoke access if suspicious activity is detected.

Capitalize on improved CIEM from PAM platform vendors

PAM platform providers must deliver a platform capable of discovering privileged access accounts across multiple systems and applications in a corporate infrastructure. Other must-haves are credential management for privileged accounts, credential valuation and control of access to each account, session management, monitoring and recording. Those factors are table stakes for a cloud-based PAM platform that will strengthen AM in a ZTNA framework.

Cloud-based PAM platform vendors are also stepping up their support for cloud infrastructure entitlement management (CIEM). Security teams and the CISOs running them can get CIEM bundling included on a cloud PAM renewal by negotiating a multiyear license, VentureBeat has learned. The PAM market is projected to grow at a compound annual growth rate of 10.7% from 2020 to 2024, reaching a market value of $2.9 billion.

“Insurance underwriters look for PAM controls when pricing cyber policies. They look for ways the organization is discovering and securely managing privileged credentials, how they are monitoring privileged accounts, and the means they have to isolate and audit privileged sessions,” writes Larry Chinksi in CPO Magazine.

Scott Fanning, senior director of product management, cloud security at CrowdStrike, told VentureBeat that the company’s approach to CIEM provides enterprises with the insights they need to prevent identity-based threats from turning into breaches because of improperly configured cloud entitlements across public cloud service providers.

Scott told VentureBeat that the most important design goals are to enforce least privileged access to clouds and provide continuous detection and remediation of identity threats. “We’re having more discussions about identity governance and identity deployment in boardrooms,” Scott said.

CrowdStrike's CIEM dashboard
CrowdStrike’s CIEM dashboard delivers insights into which indicators of attack (IoAs) are trending, alerts about policy violations, and configuration assessments by policy for identities, lateral movement and least privileged violations to the credential policy level. Source: CrowdStrike

Strengthen unified endpoint management (UEM) with a consolidation strategy

IT and cybersecurity teams are leaning on their UEM vendors to improve integration between endpoint security, endpoint protection platforms, analytics, and UEM platforms. Leading UEM vendors, including IBM, Ivanti, ManageEngine, Matrix42, Microsoft and VMWare, have made product, service and selling improvements in response to CISOs’ requests for a more streamlined, consolidated tech stack.

Of the many vendors competing, IBM, Ivanti and VMWare lead the UEM market with improvements in intelligence and automation over the last year. Gartner, in its latest Magic Quadrant for UEM Tools, found that “security intelligence and automation remains a strength as IBM continues to build upon rich integration with QRadar and other identity and security tools to adjust policies to reduce risk dynamically. In addition, recent development extends beyond security use cases into endpoint analytics and automation to improve DEX.”

Gartner praised Ivanti’s UEM solution: “Ivanti Neurons for Unified Endpoint Management is the only solution in this research that provides active and passive discovery of all devices on the network, using multiple advanced techniques to uncover and inventory unmanaged devices. It also applies machine learning (ML) to the collected data and produces actionable insights that can inform or be used to automate the remediation of anomalies.”

Gartner continued, “Ivanti continues to add intelligence and automation to improve discovery, automation, self-healing, patching, zero-trust security, and DEX via the Ivanti Neurons platform. Ivanti Neurons also bolsters integration with IT service, asset, and cost management tools.”

What’s on CISOs’ IAM roadmaps for 2023 and beyond 

Internal and external use cases are creating a more complex threatscape for CISOs to manage in 2023 and beyond. Their roadmaps reflect the challenges of managing multiple priorities on tech stacks they are trying to consolidate to gain speed, scale and improved visibility.

The roadmaps VentureBeat has seen (on condition of anonymity) are tailored to the distinct challenges of the financial services, insurance and manufacturing industries. But they share a few common components. One is the goal of achieving continuous authentication as quickly as possible. Second, credential hygiene and rotation policies are standard across industries and dominate AM roadmaps today. Third, every CISO, regardless of industry, is tightening which apps users can load independently, opting for only an approved list of verified apps and publishers.

The most challenging internal use cases are authorization and adaptive access at scale; rolling out advanced user authentication methods corporate-wide; and doing a more thorough job of handling standard and nonstandard application enablement.

External use cases on nearly all AM roadmaps for 2023 to 2025 include improving user self-service capabilities, bring-your-own-identity (BYOI), and nonstandard application enablement.

The greater the number of constituencies or groups a CISOs’ team has to serve, the more critical these areas of AM become. CISOs tell VentureBeat that administering internal and external identities is core to handling multiple types of users inside and outside their organizations.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.



Source link