If 2020 taught us one thing, it is that you cannot control everything. Sometimes, no matter how prepared you are, an unprecedented event can throw your entire business completely off course.
Last year turned the business world on its head, thrusting many organisations into remote work and tearing down the cyber security perimeters they had worked so hard to build. Those businesses that had a strong, flexible, scalable and adaptive identity and access management (IAM) foundation were rewarded; those that did not, struggled to survive amidst a growing threat landscape.
In 2021, after years of talking about it, identity is finally becoming the new security perimeter — helping companies to maintain centralised control and visibility whilst operating a remote workforce.
Given the investment needed for IAM solutions, companies will be looking at their overall security programmes. We may see a permanent shift away from office-based working in some cases and, therefore, less of a requirement for traditional on-premise network access and security controls. We should also see an acceleration of existing plans to migrate to cloud-only architectures. Certainly, the dynamics of security investment in 2021 will have a different flavour than we would have imagined 12 months ago.
So, how can we expect to fine-tune and solidify IAM foundations in the year ahead?
1. Formalising ‘zero trust’
Remote workers were a focal point for hackers looking to exploit insider threats in 2020. This is unlikely to change in 2021. Many companies are looking to extend their work-from-home policies beyond the pandemic, meaning they will have to rethink their cyber security strategies.
An increase in connected devices — and dependencies on technologies such as cloud services and digital collaborative tools like Zoom, Skype and Slack — means the attack surface is more substantial than ever before. But contextual, stronger authentication and single sign-on (SSO) combined with identity governance and administration (IGA) will help companies claw back control.
Together with multi-factor authentication (MFA), contextual and adaptive authentication adds an additional layer of security to every single employee login. This approach builds a fingerprint of ‘normal’ user activity, which applies a risk position. So, when the tolerance is exceeded, the system demands a step-up authentication using an out-of-band MFA verification — critical in a time when IT does not have physical oversight over employees.
Measures to implement and control security and data policies are often lacking in a remote environment. However, as there is no longer a true perimeter, companies will need to look at process controls using segregation of duties, policy enforcement and mandates through identity governance and administration (IGA) controls automation.
This year, we will see a dramatic increase in the adoption of policy-based security models, with 2021 being the year we establish true trust — just-in-time and only when required —between users and systems. Rather than equating trust to a physical address or IP address (which is difficult to manage if employees are working from remote locations), zero-trust models analyse information about the user, data, applications and devices to contextualise security risk and adapt access rights.
Many companies investigating zero-trust architectures before the pandemic have formalised implementation plans, and others will soon follow suit.
2. Extending privileged account management
The security principle of least privilege is fundamental to IAM. However, over time, privilege creep can start to set in as employees change roles and slowly acquire new privileges without having those from former roles removed. For this reason, many companies have already implemented privileged account management (PAM), even if only as a manual process. If not, they are behind the curve.
With more staff working remotely, PAM has never been more important. As a result, we will see more companies adopt a just-in-time provisioning model that minimises the risks of privilege creep by determining access based on multiple contextual factors, monitoring privileged account activity and creating an audit trail to track sensitive data.
Those businesses that have already implemented privileged account management will also look to do more with it through non-human accounts, robotic process automation (RPA), bots, artificial intelligence (AI) and the cloud. Non-human accounts pose a growing risk as AI, RPA and other bots have decision-making capabilities and have already been used to circumvent security processes and defraud and compromise data in a number of organisations. These high-risk non-human accounts need to be treated more like people and less like the normative application of standard service accounts, as used by so many companies.
3. Modernising IGA
Traditional, monolithic identity governance and administration systems are built or configured to address user provisioning through complex integration and systematic application of over-engineered, role-based access control (RBAC) structures.
Modernised IGA is offered as an API that can be consumed and make connectivity easier to integrate. Delivered as an agile project, these new IGA constructs can be offered iteratively and in short sprints. To remain competitive, compliant and secure, companies should waste no time in reviewing and modernising their IGA capabilities. Moving towards policy enforcement and attribute-based access control (ABAC), rather than hard-coded policies and RBAC, will further enable IGA within a dynamic, scalable, flexible and agile management of identity and access lifecycles.
For most businesses, this will mean separating identity and applications to deliver more agile projects. New IGA projects should implement consistent, logical and service-based architectures that allow everyone — from anywhere, using every kind of app and device — to access every service and enable policy-based governance across all enterprise access control points.
A cloud-based approach will be key here, enabling IAM and IGA to work seamlessly with other services and simplifying the journey to a future-proof IT security infrastructure.
4. Stepping up customer IAM
Many businesses now have an IAM solution for their workforce. But employee IAM solutions often lack the features needed to deliver a great customer experience.
In 2021, we will see customer identity and access management (CIAM) come to the forefront, with a focus on frictionless adaptive authentication, scalability and fraud management. Customers expect a seamless user experience — but they also want companies to protect them from fraud, breaches and privacy violations.
Robust CIAM solutions offer a combination of features including customer registration, self-service account management, single sign-on and step-up authentication. These features enable organisations to securely capture and manage customer identity and profile data, as well as control customer access to applications and services.
However, the amount of data businesses are collecting about each customer is increasing exponentially. So, going forward, the best CIAM solutions will enable big data and marketing personalisation at scale, delivering instant and frictionless access to customer-facing apps and services no matter the scale of the customer base.
It has never been more crucial to ensure every access point in your business is protected –without compromising user experience. Burning Tree’s consulting services can help you find the right solutions for your business. Contact us today to find out more.